The UK GDPR protects individuals’ data protection rights and freedoms. As a business, it’s your priority to respect these rights and minimise risk wherever possible. That’s where a data protection impact assessment (DPIA) comes in.
A DPIA helps you identify potential risks before they develop. Not only does this help demonstrate your legal compliance with the UK GDPR, but it also keeps individuals’ personal data out of harm’s way. Learn more about DPIAs and when one is needed for your organisation below.
What Is a DPIA?
A data protection impact assessment (DPIA) is a type of risk assessment. During a DPIA, a business will assess, identify and mitigate the data protection risks associated with a new processing activity.
This assessment is mandated for high-risk processing, so you usually conduct them before any new projects or processing activities begin. DPIAs, however, are not a one-off tick-box exercise. They should be considered a “live” document, and organisations should review them periodically until processing activity stops.
DPIAs are key to your accountability obligations and can demonstrate your compliance with other data protection principles.
When Is a DPIA Needed?
Under Article 35 of the UK GDPR, a DPIA is needed if:
- You plan to conduct a systematic and extensive evaluation of individuals’ personal aspects using automated processing. This includes profiling and can be applied to software that filters job applications.
- You process sensitive data on a large scale. This refers to special category and criminal conviction data, which requires extra protection as misuse could seriously harm an individual. What is considered ‘large scale’ depends on the size of the organisation doing the processing.
- You systematically monitor public areas on a large scale, which involves using CCTV systems.
Alongside what’s required by law, the Information Commissioner’s Office (ICO) has outlined other high-risk operations that require a DPIA:
- Evaluation or scoring;
- Automated decision-making with legal or similar effects;
- Systematic monitoring;
- Sensitive data or highly personal data;
- Large-scale data processing;
- Data matching or combining;
- Data on vulnerable data subjects;
- Innovative use or applying new technological or organisational solutions; and,
- Preventing data subjects from exercising their rights or using a service or contract.
(EU protection authorities, Article 29 working party (WP29))
Do You Need a DPIA for AI?
In short, yes! AI is considered to be innovative new technology and is therefore likely to indicate a high risk to the individual’s rights and freedoms.
AI is used in many process-driven operations, including new technologies, invisible processing, data matching and location or behaviour tracking. As the ICO states, all of these operations can result in high risk, and if they are done on a large scale, a DPIA is more necessary than ever.
Want to adopt AI in your business? Read our guide on using AI in compliance with the UK GDPR.
Who Should Be Involved in a DPIA?
If you need to conduct a DPIA, consult your Data Protection Officer (DPO) on how to approach it. You should include your project lead, processors, and legal advisors if necessary.
At Data Protection People, we offer GDPR training on DPIAs, so if you’re feeling lost about what to do, we’ll help guide you through conducting one.
Need Help with a DPIA? Our DPOs Are Here to Help
You could spend hours completing a DPIA or outsource it to our DPOs to complete the job efficiently, effectively, and, most importantly, compliantly.
Our outsourced DPOs offer impartial advice on undertaking a DPIA, as well as the measures you must take to mitigate risks and whether the processing activities can go ahead. Contact our team today to get help with your next DPIA.