If you've been ignoring the DPIA and how it fits into your company's GDPR compliance guidelines, it's time to pay more attention. Here's what you need to know.
The European Union’s General Data Protection Regulation (GDPR) is due to arrive in about six months—May 25, 2018 to be exact—and with around 100 articles and a couple hundred requirements within them, there are quite a few guidelines companies must carry out to reach full compliance. In particular, some companies need to plan, prepare, and implement a Data Protection Impact Assessment (DPIA).
But what is the DPIA and does it have anything to do with your company? The short answer: Maybe.
Basically, a DPIA is a mandatory requirement found in Article 35 of the GDPR. It asks companies—mainly, data controllers—dealing with “high risk” data or any personal data related to criminal convictions, to identify, fix, prevent, and report any problems regarding data protection, to find and fix any flaws within data processing systems, and to calculate the chance of and prevent any chance of harm to data subjects that could result from a data breach.
To find out if a company needs to actually perform a DPIA, organizations need to figure out what kind of data they have, decide whether they really need all that data, know how they’re using that data, discover what risks may come about from processing that data, and then plan measures to address those risks, which could include cybersecurity safeguards such as encryption. Responsibility for performing a DPIA falls upon the data controller, and it must be performed before the processing of data occurs.
If your company processes personal data related to criminal convictions, or data that is based on systematic monitoring or automated decision making, like profiling, then a DPIA is mandatory. If data processing is unlikely to result in the damage of a data subject’s privacy, then a DPIA is usually not required.
The compliance guidelines describe a few cases that require a DPIA. For example, if your organization is a hospital that processes sensitive health information, including genetic data, then a DPIA would be required. If your company tracks the Internet activity and work stations of employees, then that counts as systematic monitoring and would also require a DPIA.
The same goes for companies that use camera systems to monitor driving behavior and license plates, or companies that gather public social media profiles—DPIAs are required because these types of examples are considered vulnerable data subjects. Companies that handle international data transfers, finger prints, and facial recognition data must also comply with the DPIA requirement.
However, an online magazine with a mailing list likely doesn’t count as a “high risk” since it’s not extensive or systematic, and therefore most likely would not need a DPIA in order to meet GDPR compliance guidelines.
In general, many companies will need to perform DPIAs to help prevent the catastrophic breach of personal data, to reach compliance with GDPR standards, and to avoid the steep fines associated with the GDPR. The DPIA is just one of the many rules a company needs to follow to ensure full GDPR compliance, alongside the need to notify data subjects about data breaches in a timely manner and the implementation of strong encryption practices to protect personally identifiable data.