Under GDPR, a data controller has to carry out a Data Protection Impact Assessment (DPIA) when personal data processing is likely to result in a high risk to an individual’s rights and freedoms. There are numerous situations where a DPIA is required and many organisations are also choosing to undertake a DPIA as a matter of good practice, even where not strictly required.
However, undertaking a DPIA requires a level of support and expert knowledge that many organisations do not have. Thorntons Data Protection team can help support you to undertake a DPIA and ultimately minimise risk to your data processing practices.
A DPIA is essentially a risk assessment for projects concerning personal data. The impact assessment identifies the risks, for example, of a data breach or a breach of data protection principles, and seeks to find practical ways to address and mitigate those risks if possible.
The DPIA does not have to be made public; however, it helps to reassure your stakeholders and the regulator, the Information Commissioner’s Office (ICO), that you can demonstrate accountability in terms of your decision-making. Many organisations will not have the necessary expert knowledge in-house to carry out effective DPIAs. Our Data Protection team can help you undertake DPIAs, minimising data processing risks for your organisation.
Under UK GDPR, a data controller is required to carry out a DPIA when the anticipated processing of personal data is likely to result in a high risk to an individual’s rights and freedoms. The practical situations where a DPIA is required are numerous and many organisations are choosing to carry out a DPIA as a matter of good practice, even if they are not strictly required. DPIAs help you build trust with customers, clients, and staff, and can highlight potential problem areas before time and money is heavily invested.
At Thorntons, our specialist Data Protection team can advise you on when you need to carry out a DPIA and help you undertake the assessment.
In order to complete a DPIA, it is recommended you consult with all the relevant stakeholders, for example the project lead, your Data Protection Officer (DPO), Information Security Officer and Procurement Department (as appropriate).
A DPIA must contain and document all of the following:
- A systemic description of the envisaged processing operations and the processing purposes, including any legitimate interest relied on by your organisation
- An assessment of the necessity and proportionality of the proposed processing operation
- An assessment of the risks to the rights and freedoms of individuals
- Measures you have adopted to address any risks, including safeguards, security measures and mechanisms
You may consult the data subjects involved if you feel their input would be valuable in terms of building trust or gaining insight. In cases where the risks cannot be mitigated, you should consult the ICO. Thorntons can provide expert advice and guidance on any DPIA to ensure your organisation’s compliance with data protection law.
Thorntons Data Protection Team can lead your DPIA process by ensuring the appropriate documentation is completed and all relevant stakeholders are consulted. We also use our expert knowledge of data protection laws to help identify any risks and develop mitigation strategies. Once the DPIA is completed, we will work with you to support practical execution of risk mitigation strategies and keep in touch with you at regular intervals to review progress and ensure roll-out of action points are completed.
Please call our specialist Data Protection team on 03330 430350 for practical advice and support on how Thorntons can help you with Data Protection Impact Assessments. Or complete our online enquiry form and an expert in our Data Protection team will call you back.