Data Protection Impact Assessments
Data Protection by Design and Default
An important principle that is interwoven throughout modern data protection legislation is that of data protection by design and default. Whenever you are working with personal data, you must ensure that you put in place suitable technical and organisational measures to implement the core data protection principles, thereby protecting personal data and the rights of the individuals to whom it relates.
Data protection should always be reviewed on a regular basis, including by means of a data protection audit, but when you are considering a new project using personal data or a new use for personal data which you already have, you should aim to build in good data protection from the very start. This approach, previously known as privacy by design is what is now referred to as data protection by design and default.
You should always begin by thinking about any potential privacy and data protection issues arising out of a particular project. This way, they don’t take you by surprise, and you won’t find yourself having to change your approach later on to accommodate data protection concerns or, worse still, implementing a new project or system which turns out to be non-compliant and puts individuals’ personal data and rights at risk.
Data Protection Impact Assessment
A Data Protection Impact Assessment or “DPIA” is a valuable tool in this area. You must undertake one if your proposed personal data processing is likely to result in a high risk to individuals. Even if there isn’t a high risk involved, however, a DPIA is still a very useful exercise and good practice endorsed by the Information Commissioner.
A DPIA should:
- Describe the nature, scope, context, and purpose(s) of the personal data processing
- Assess necessity, proportionality, and compliance measures
- Identify and assess risks to individual data subjects
- Identify additional measures needed to mitigate such risks
During the process, it may be necessary to consult with others, whether within your business, or third parties such as data processors.
When assessing risk, both the likelihood and the severity of the potential impact should be considered. If a high risk that cannot be mitigated is identified, you are required to consult with the Information Commissioner’s Office.
Document Templates Available
We provide two different Data Protection Impact Assessment templates:
- Our Standard Data Protection Impact Assessment contains a range of detailed questions designed to help you fulfil the criteria described above. This document is the more prescriptive of the two DPIAs available.
- Our Short Form Data Protection Impact Assessment follows a similar structure to the standard version but takes a simpler approach and is designed to be more open and flexible. Many sections in the template simply set out the key issues to be considered, enabling you to tailor it to your project more easily.
We also provide a set of DPIA Guidance Notes which explain important aspects of the DPIA including deciding when one is required, who should be involved, and how to carry out the assessment.