Data Protection Impact Assessment

Order a personal data protection impact assessment service for your company.

Data Protection Impact Assessment (DPIA) is a procedure provided for in Article 35 of the GDPR. It consists of identifying and describing all processes involving personal data within a company. DPIA is conducted to assess the data protection risks, search for the most vulnerable points in the security system, but most importantly — to develop procedures intended to prevent data breaches. 

Results of the DPIA are summarised in a table that describes:

  • The categories, goals, and volumes of personal data processed by the company;
  • The processes of data collection and processing;
  • The identified risks, weaknesses, and possible threats;
  • The employees, contractors and subcontractors involved in the process;
  • The planned actions in the event of a privacy breach.

Conducting a DPIA is necessary in two cases: either immediately before the start of the collection and processing of personal data, or in the event of significant changes in the company’s already investigated processes. For example, if you launch a new product, you must conduct a DPIA to assess the risks associated with the processing of personal data. Alternatively, the assessment is necessary when the processing environment changes (new hardware, software, processing rules are introduced), or when new categories of data are added to an already well-established process. 

It is also necessary to carry out
an assessment in the following situations:

Converting paper records and documents into electronic documents.
Combining multiple databases into one.
Incorporating personal data obtained from commercial sources into the company's existing database.
Making changes to the business process that leads to the collection and use of personal data.
Implementing projects using third-party suppliers.
Changes in personal data due to the addition of new types of information. 

The regulation does not set out a clear frequency for conducting a DPIA, since its frequency depends directly on the company’s activities. The intention behind the regulation is that every time you start a new project involving personal data, you must conduct a DPIA. 

Interviewing employees, analyzing documents, searching for and detailing business processes that pose risks to users’ privacy is a long and tedious process that requires attention to detail.

We suggest that you don’t waste time searching where the shoe pinches yourself, but instead seek help from certified data protection specialists who have conducted dozens of Data Protection Impact Assessments and know all the ins and outs of the procedure. 

Goals

  • Comply with the requirements of Article 35 of the GDPR.
  • Make a complete inventory of treatments, systems and contractors.
  • Identify unused categories of processed data and get rid of them, thereby reducing the Penalties under the GDPR for the company.
  • Demonstrate to partners, customers, and employees your commitment to law enforcement.

Work phases

1
Step 1.

Identification of the context, value, and scope of processing. 

2
Step 2.

Identification and analysis of the mechanisms that allow data subjects to exercise their rights. 

3
Step 3.

Analysis of the data protection mechanisms implemented. 

4
Step 4.

Identification of the at-risk actors involved in the processing, sources of threats, and potential breaches of privacy. 

5
Step 5.

Evaluation of the likelihood of risk and severity of consequences for data subjects.

6
Step 6.

Selection of tactics to minimize the risk, development of the action plan, time frames, and people responsible for data security. 

What do you get by completing a DPIA?

Compliance with Article 35 of the Regulation in case of inspection by the Supervisory authority. 
A table describing the movement of all personal data in the company to further work towards compliance. 
Summary on the DPIA conducted to demonstrate your company's compliance with the GDPR to customers and partners.
Useful checklists
  1. In order to ensure that our staff understand the importance of considering a DPIA at the earliest stages of any plan involving personal data, we provide training.
  2. DPIA requirements are referenced in our policies, processes, and procedures.
  3. When necessary, we use the screening checklist to determine whether a DPIA is needed for the process.
  4. A DPIA process has been developed and documented.
  5. For relevant staff, we provide training on how to conduct a DPIA.
  1. In any project that involves the use of personal data, we consider conducting a DPIA.
  2. When we plan to do anything else, we consider whether to do a DPIA:
  • Scoring or evaluation;
  • Taking significant decisions through automated decision-making;
  • Monitoring system;
  • Personal or highly sensitive data processing;
  • Scaled-up processing;
  • Vulnerable data subjects’ data processing;
  • Technological or organizational innovations;
  • An action that prevents a data subject from exercising a right or using a service or contract.
  1. We always conduct a DPIA if we want to: 
  • Make significant decisions about people, employ systematic and extensive profiling and automated decision-making;
  • Organize and process large amounts of data related to special categories or crimes;
  • Maintain a large-scale, systematic monitoring of a public area;
  • Utilize innovative technology along with any of the guidelines in the European Union;
  • Use special category data, automated decision-making, or profiling to assess someone’s eligibility for a service, opportunity, or benefit;
  • Perform large-scale profiling;
  • Use biometric or genetic data in conjunction with any of the criteria in the European guidelines;
  • Compile, compare, or match data from multiple sources;
  • Combine any of the criteria in the European guidelines with processing personal data without providing a privacy notice directly to the individual; 
  • Process that involves tracking a person’s location or behavior online or offline, in combination with the European guidelines; 
  • Use children’s personally identifiable information for profiling and automated decisions, or to market to them directly;
  • Process personal data that might result in physical harm in the case of security breaches. 
  1. Whenever anything about our processing changes, we’ll conduct a new DPIA.
  2. In the event we do not conduct a DPIA, we document the reason for the decision.
  1. The scope, context, and purposes of the processing are described.
  2. During the contracting process, we require our data processors to explain and document the processing activities and identify potential risks.
  3. Consultations with stakeholders (or their representatives) are carefully considered.
  4. Our Data Protection Officer advises us.
  5. As part of our data processing review, we describe how we will ensure compliance with the requirements of data protection laws and verify whether the processing is appropriate and proportionate for our purposes.
  6. Risks to a person’s rights and interests are objectively assessed.
  7. To eliminate or reduce high risks, we identify the measures we can take.
  8. As part of the outcome of the DPIA, we record our decision-making, including disagreements with the DPO or individuals consulted.
  9. Our project plan incorporates the measures we identified.
  10. Before processing, if high risks cannot be mitigated, we consult the ICO.
  11. Our DPIAs are reviewed whenever necessary.
  1. Ascertained whether this DPIA relates to pre-GDPR processing or to planned processing and confirmed timelines in both cases; 
  2. Described why a DPIA was necessary, including the types of intended processing that made it a necessity;
  3. Clarified, organized, and logically structured the document;
  4. Using plain English and explaining technical terms and acronyms we have used, we wrote the DPIA with a non-specialist audience in mind. 
  5. Indicating the relationship between controllers, processors, data subjects, and systems, using both a text description and a data-flow diagram when appropriate;
  6. A clear explanation and presentation of any data flows between people, systems, organizations and countries has been made;
  7. We clearly outlined how we are adhering to all of the Data Protection Principles under GDPR, as well as our legal basis for the processing (and conditions applicable to special categories of data); 
  8. We outlined our approach to supporting the relevant rights of our data subjects.
  9. Assessed all relevant risks to individuals’ rights and freedoms, analyzed their likelihood and severity, and documented all appropriate mitigations;
  10. Provided a sufficient explanation of how any proposed mitigation reduces the identified risk;
  11. We gave reasons why we did not choose less risky alternatives to achieve the same purpose;
  12. Detailed stakeholder consultations (e.g., data subjects, representative bodies) with summaries of the findings;
  13. The DPIA was signed off by the appropriate people after recording the advice and recommendations of our DPO (where applicable);
  14. Set up a schedule for reviewing the DPIA regularly or when its nature, scope, context, or purposes change;
  15. The supervisory authority has been consulted if there are any residual high risks that cannot be mitigated.

Order

When you complete the form, you will:
  • Have the opportunity to ask questions concerning data protection.
  • Discover if this product is right for your business or project.
  • Receive directions on cost, duration, and other details.

Please contact us to schedule an online meeting with a privacy expert!

P.S. Didn’t find anything that suited your needs on the site? Put a brief description of your situation into the “Comment” field. We will get in touch and offer a personalized solution.