To DPIA or not to DPIA (Data Protection Impact Assessment)

13 November 2018

It is almost six months since the EU General Data Protection Regulation entered into force, bringing with it a substantial paradigm shift in the way that individuals, businesses, and regulatory authorities approach privacy.

One important part of the new legislation is the requirement for any individual or entity that processes personal information of EU citizens, to undertake a Data Protection Impact Assessment (DPIA). Whilst some businesses may think they can conduct business without undertaking such assessments, this is highly unadvisable.

Why? Let us explain further.

What is a DPIA?

DPIA is the EU-speak version of a Privacy Impact Assessment (PIA) and it is an impact assessment that is carried out by any business or individual that has access to sensitive and/or private data pertaining to Citizens of an EU Member State. The process involves the company reviewing its systems, software, and procedures in order to see how they may impact or compromise the privacy of the individuals whose data it collects, holds, or processes in any way.

The three main goals of a DPIA are to ensure compliance with applicable legal, regulatory, and policy requirements for privacy, determine any risks and effects, and to evaluate protections and alternative process in order to mitigate potential privacy risks.

What are the benefits of a DPIA?

The DPIA is a demonstration of an organisations ability and dedication to keeping their client’s information safe and secure. By assessing the security of personal information, companies can enjoy higher trust and confidence levels from members of the public.

In addition to this, it is a good way to seek an early warning for any potential privacy issues and it allows the company to build safeguards before, rather than after a potentially devastating leak. It also helps to avoid embarrassing, and costly privacy mistakes, as well as providing evidence that an organisation has made attempts to prevent such situations, therefore reducing the chance of liability.

In an age where privacy is something that internet users are valuing more and more each day, if a company can adequately demonstrate that they take their clients’ security seriously, they can enjoy a greater competitive edge in the market.

What are the consequences of not undertaking a DPIA?

The assessment must always be conducted when the processing could result in a high risk to the rights and freedoms of natural persons. Under the EU GDPR, Data Protection Impact Assessments are mandatory for any organisations that uses technologies and processes that are likely to result in the rights of the data subjects being negatively impacted.

As such, DPIAs should be used as a default tool for all businesses or organisations that collect, store, or transfer personal data pertaining to EU citizens. As well as being an essential component of the GDPR, carrying penalties for failure to comply, they are also a part of ISO 27001 which is a risk management-based approach that is designed to ensure information security meets specified standards within an entity.

What else do I need to know?

Whilst the EU GDPR applies to all 28 member states, it is up to the local government of each jurisdiction to establish a list of processing operations that require that DPIAs are carried out.

If you are not sure whether your business processes or operations fall under the scope of the GDPR and are therefore required to undertake a DPIA, then it is always best to conduct it anyway. Undertaking such an assessment will only benefit the company, whereas failing to do could not only result in a breach of EU and National law, but it could result in costly privacy related issues in the future.

Companyies that undertake a DPIA whether required to by law, or just due to abiding by best practices, are required and advised respectively to undertake it every three years. It is also advised to repeat the process as and when any procedures, software, or operations are altered significantly, thus changing the scope of the pervious DPIA.

Where BDO comes in

Data protection and customer privacy can be a minefield and considering the GDPR is still new and unknown to many, enforcing its wide-reaching regulations can be tricky. At BDO, we have a team of highly trained privacy professionals that are able to advise and guide you with a practical approach on all matters relating to GDPR and privacy. Contact us here to find out more.