When To Do A DPIA
Hosted by David Holmes and Phil Brining
When to complete a Data Protection Impact Assessment (DPIA)
A DPIA is a crucial tool for organisations to assess the privacy impact of their data processing activities. The UK General Data Protection Regulation (UK <a href=”https://dataprotectionpeople.com/service/gdpr-support-desk/” style=”text-decoration; color: #41495c”>GDPR</a>) requires that a DPIA be completed in certain circumstances, as it plays a significant role in safeguarding the privacy rights of individuals. A DPIA is a risk assessment process that evaluates the potential consequences of data processing activities on the privacy of individuals.
When to complete a DPIA
1. Processing of sensitive personal data
The UK GDPR recognises certain types of personal data such as data related to health, race, or political views, as sensitive. The processing of these types of data poses a higher risk to the privacy rights of individuals, and therefore requires a higher level of protection. A DPIA is therefore necessary to assess and mitigate any risks.
2. Large scale processing
Another scenario when a DPIA should be completed is for data processing activities that take place on a large scale. This could include activities like employee monitoring or tracking of customers through a loyalty program. Large-scale processing activities are more likely to impact a large number of individuals and therefore pose a higher risk to privacy rights. A DPIA is required to assess and manage these risks.
3. New technology usage
If you plan to use new technology for data processing, a DPIA should be conducted to evaluate the impact on privacy. New technologies often bring new privacy risks, and a DPIA will help organisations to identify and manage these risks before they cause harm. The DPIA process will also help organisations to ensure that their data processing activities are compliant with the UK GDPR and that the privacy rights of individuals are protected.
4. Automated decision-making
If you use automated decision-making processes that significantly impact individuals, a DPIA should be completed. Automated decision-making is becoming increasingly common, and it can have significant consequences for individuals. For example, decisions related to credit, employment, or insurance can significantly impact an individual’s life. A DPIA is necessary to assess the potential consequences of these decisions on privacy rights and to ensure that the privacy rights of individuals are protected.
When NOT to complete a DPIA
1. Routine data processing activities
A DPIA is not necessary for routine data processing activities that do not pose a significant risk to the privacy rights of individuals. For example, if you collect and process data for basic customer
relationship management purposes, this is considered routine data processing and is unlikely to pose a significant risk to privacy rights. In these cases, a DPIA is not required.
2. Low-risk processing activities
A DPIA is not required for activities that pose a low risk to the privacy rights of individuals. For example, if you collect and process data for basic administrative purposes, such as managing employee records (excluding any sickness records or other sensitive information), this is considered low-risk processing and is unlikely to pose a significant risk to privacy rights.
3. Processing activities covered by GDPR exemptions
Certain processing activities are exempt from the DPIA requirement under the UK GDPR, such as activities carried out by public authorities or for journalistic purposes. In these cases, the processing is considered to be in the public interest and is exempt from the DPIA requirement. However, it is still important to assess the privacy impact of these activities to ensure that privacy rights are protected.
In conclusion, a DPIA is an important tool for organisations to help them identify, assess and manage the impact of data processing activities on privacy rights. A DPIA should be completed for high-risk activities and whenever new technology is introduced.
The Data Protection Made Easy podcast now has over 100 episodes all available online covering a wide range of topics related to data protection and information security. If you can’t join us on one of our sessions live, search for ‘Data Protection Made Easy’ on all major audio streaming platforms including Spotify and listen back to any of our thoughtful discussions. If you would like to register for future episodes of the podcast, click here: Events