Data Protection Impact Assessment (DPIA)

Under the GDPR, there is a new general accountability obligation to not only comply with the Regulation, but to demonstrate that compliance. One tool available to demonstrate compliance is a privacy impact assessment which should be carried out before undertaking ‘high risk’ processing. ‘High-risk’ processing includes:

  • systematic and extensive profiling that produces legal effects or significantly affects individuals;
  • processing sensitive personal data on a large scale; and
  • systematic monitoring of a publicly accessible area on a large scale (e.g. CCTV).

 

Please visit: https://gdpr-info.eu/art-35-gdpr/

The UK Information Commissioner has drawn up a list of “high risk processing”, which includes activities such as data matching and artificial intelligence. The ICO also issued a guidance on DPIAs after public consultation.

Please visit:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/

 https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/examples-of-processing-likely-to-result-in-high-risk/