A Data Protection Impact Assessment (DPIA), also known as a Privacy Impact
Assessment (PIA), is a key part of GDPR compliance when using personal data
in certain ways, as described below.
This document has been recently updated to include new screening criteria and a significantly more detailed section on data subjects, and personal data collection, holding, and usage. We will also be considering new risk and solution examples in due course.
Note: A Data Protection Impact Assessment is not something to be taken
lightly, particularly if it is required under the GDPR or by the ICO
according to the screening criteria outlined below.
If a high risk is identified and you cannot mitigate it satisfactorily
with a solution, you must consult the ICO before starting to process
personal data for the relevant purposes.
This template is designed to help you to identify and reduce the privacy
risks posed both to individuals and to your business by new projects
involving the use of personal data.
The purpose of a DPIA is to document the identification of privacy risks in
a new project, the proposed solutions, the evaluation of those solutions,
the agreed solutions, and the integration of those solutions into the
overall project plan. Ideally, risks will be eliminated or significantly
minimised, allowing the project to proceed unhindered and protecting the
rights of individuals.
Under the GDPR, you must carry out a DPIA if you plan to:
- Carry out systematic and extensive profiling that will have significant
effects;
- Process sensitive personal data (or data about criminal offences) on a
large scale; or
- Systematically monitor public spaces on a large scale.
These may well not apply to many small businesses, but the Information
Commissioner’s Office (ICO) has additional criteria that call for a
DPIA:
- Using new technologies;
- Using profiling or sensitive personal data to determine individuals’
access to services;
- Profiling individuals on a large scale;
- Processing biometric or genetic data;
- Matching or combining data from multiple sources;
- Collecting personal data from a source other than an individual without
providing the individual with a privacy notice (known as ‘invisible
processing’);
- Tracking individuals’ location or behaviour;
- Profiling children or targeting services to them; or
- Processing data that may endanger individuals’ physical health or safety
if a security breach occurs.
What’s more,
even if your proposed project does not meet the above criteria, it can
still be good practice to carry out a DPIA. By identifying risks early and building solutions into a new project, you
are far less likely to inadvertently stumble and fall foul of the GDPR. Not
only can the fines be significant, but perhaps more importantly, a mistake
involving personal data and privacy could cost you your reputation and end
up doing more damage than a fine ever could.
This DPIA template begins with a summary of the proposed project, followed
by a series of screening questions, many of which are based on the above
criteria. Details of internal and external parties (such as data
processors, individual data subjects, key staff members etc.) to be
consulted follow. The DPIA then sets out details of the personal data to be
collected and how it is to be processed, stored, retained, and shared.
Details of your lawful basis or bases for processing should also be
provided here.
The next three sections of the DPIA cover risk identification.
Please note that the potential risks already included in the template
should be used as a starting point only. The included risks are not
exhaustive and great care must be taken to ensure that you have
identified all possible risks associated with your project.
Each risk should be assessed in terms of its severity of impact, and the
likelihood that it will occur. Space is provided for notes or comments, but
do not detail solutions at this point. Space is provided for that later in
the assessment.
The eighth section of the DPIA looks at proposed solutions. Each risk
identified should be addressed here. In some cases, one solution will
address multiple risks.
Please note that the possible solutions already included in the
template should be used as a starting point only. The included
solutions are not exhaustive and great care must be taken to ensure
that you have established suitable solutions for all risks associated
with your project.
Each solution should be evaluated carefully.
Next come the approved solutions. These should be drawn from the
evaluations of proposed solutions in the previous section.
It is important to tie your chosen solutions into your overall project
plan. Section 10 of the DPIA maps out this process and includes space to
detail specific actions to be taken in response to identified risks and
solutions.
The final section should be used to approve and sign-off the completed
DPIA.
Optional phrases / clauses are enclosed in square brackets. These should be
read carefully and selected so as to be compatible with one another. Unused
options should be removed from the document.
This Data Protection Impact Assessment is in open format. Either enter the
requisite details in the highlighted fields or adjust the wording to suit
your purposes.
Once you have purchased access to the appropriate document folder click on
the “Download Document” link below. You will be asked what you want to do
with the file. It is recommended that you save the document to a location
of your choice prior to viewing.