Data protection impact assessment (DPIA) is a documented report on a specific data processing operation. This risk assessment tool is mandatory when data processing operations are “likely to result in a high risk to the rights and freedoms” of individuals. For example, it’s crucial in launching a complex project, such as CCTV surveillance or call recording, when you need to assess the consequences of such planned data processing.
DPIA often requires a lot of human and time resources; however, it helps to comply with legal requirements, demonstrate responsibility, minimize risks and respect fundamental human rights.
WALLESS experts share their insights on what to consider when conducting a DPIA:
• Use the DPIA questionnaire – it will help assess whether DPIA is needed or not;
• Urgent project or not, prepare a DPIA report in the early stages of each project. This will help to ensure privacy by design and by default and to avoid any surprises in the future;
• Include all responsible persons who will work with the project (from data collection to its use for the actual purpose) – their expertise will help to ensure the consistency of this document;
• DPIA must be “alive” and should be continually revisited as the project progresses;
• Always ask DPO’s documented opinion regarding the data processing operation assessed in the DPIA;
• Treat DPIA as a valuable risk management tool, not a time-consuming formal responsibility.
#GDPR #privacy #compliance