What is DPIA

When your organization collects, stores, or uses personal data, the individuals whose data you are processing are exposed to risks. These risks range from personal data being stolen or inadvertently released and used by criminals to impersonate the individual, to worry being caused to individuals that their data will be used by your organization for unknown purposes. A Data Protection Impact Assessment (DPIA) describes a process designed to identify risks arising out of the processing of personal data and to minimize these risks as far and as early as possible. DPIAs are important tools for negating risk, and for demonstrating compliance with the Data Protection Act.

This document assumes that a DPIA will be conducted for a defined project, rather than for an organizations operations as a whole. A particular function of your organization, or a programme of changes to your organizations operations as a whole, may be viewed as a project.

Why DPIA is necessary

Use innovative technology
Use profiling or special category data to decide on access to services
Profile individuals on a large scale
Process biometric data
Process genetic data
Match data or combine datasets from different sources
Collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’)
Track individuals’ location or behavior
Profile children or target marketing or online services at them
Process data that might endanger the individual’s physical health or safety in the event of a security breach.

Benefits of DPIA

Conducting a DPIA will improve awareness in your organization of the data protection risks associated with a project. This will help to improve the design of your project and enhance your communication about data privacy risks with relevant stakeholders. Some of the benefits of conducting a DPIA are as follows:

Ensuring and demonstrating that your organization complies with the GDPR and avoids sanctions.
Inspiring confidence in the public by improving communications about data protection issues.
Ensuring your users are not at risk of their data protection rights being violated.
Enabling your organization to incorporate “data protection by design” into new projects.
Reducing operation costs by optimizing information flows within a project and eliminating unnecessary data collection and processing.
Reducing data protection related risks to your organization.
Reducing the cost and disruption of data protection safeguards by integrating them into project design at an early stage.