Data Protection Impact Assessments – Why? When? How?
The principle of ‘privacy by design’ is not new but it is embedded within the EU General Data Protection Regulation. At the heart of a privacy by design approach is the DPIA and the GDPR sets out when such assessments are mandatory. This guide also considers when, while not necessarily mandatory, they may be advisable.
WHAT IS A DPIA?
Data Protection Impact Assessments (DPIAs) are a management tool to helps organisations identify, assess and mitigate or minimise any privacy risks associated with data processing activities. (These assessments were previously known as Privacy Impact Assessments – PIAs).
They ensure problems are found and fixed during the early stages when implementing new systems, technologies or processes. DPIAs can also be used to assess the privacy impact of the continued use of existing systems, technologies or processes.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the Data Protection Act 1998 or other statutory measures referred to in the document.