Featured in JEP’s Expert Panel – 4th April 2018
A:
“DPIA” stands for data protection impact assessment and A35 of the GDPR law outlines in detail what it is, when it should be undertaken and what it should cover.
There seems to be a lot of confusion within some organisations about DPIA’s and I’ve heard it repeatedly mis-stated as being a GDPR audit or data mapping exercise. It is neither. In practice, a DPIA can only be undertaken when the first part of the GDPR project, i.e. data mapping, has been comprehensively completed.
DPIA must be undertaken where there’s plans for new technologies to be deployed in the large-scale processing of sensitive personal data that could result in a “high risk” to the rights and freedoms of natural persons. The nature, scope, context and purposes of the new processing must be assessed, with examination of the necessity, proportionality, level of changing risks to personal data and it must identify exactly what remedies will be applied to managed and reduce this risk.
It is mandatory for processes that deal with special category data, criminal convictions/offences, produce legal decisions or significantly affects a person after a systematic and extensive evaluation of personal aspects, including profiling.