Under GDPR you are required to carry out a Data Protection Impact Assessment (DPIA) under certain circumstances. In this article we explain what those circumstances are and how to carry out the assessment.
What is a DPIA?
A DPIA is basically a risk assessment of the impact of carrying out an activity on the rights and freedoms of individuals. These are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
What triggers a DPIA?
There are a number of circumstances that you will need to carry out a DPIA within the organisation. These are if you:
- Use systematic and extensive profiling or automated decision-making to make significant decisions about people.
- Process special category data or criminal offence data on a large scale.
- Systematically monitor a publicly accessible place on a large scale.
- Use new technologies.
- Use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit.
- Carry out profiling on a large scale.
- Process biometric or genetic data.
- Combine, compare or match data from multiple sources.
- Process personal data without providing a privacy notice directly to the individual.
- Process personal data in a way which involves tracking individuals’ online or offline location or behaviour.
- Process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them.
- Process personal data which could result in a risk of physical harm in the event of a security breach
What is defined as large scale?
‘Large scale’ isn’t specifically defined in GDPR but it does give a few examples of what it would view is large scale.
Examples of large-scale processing that would trigger a data protection impact assessment could be a hospital (but not an individual doctor) processing patient data; tracking individuals using a city’s public transport system; a fast food chain tracking real-time location of its customers; an insurance company or bank processing customer data; a search engine processing data for behavioural advertising; or a telephone or internet service provider processing user data.
Individual professionals processing patient or client data are not processing
What type of risks might arise?
In a DPIA, the risks you are looking for are those associated with an individuals rights and freedoms. These can also include other risks such as physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage.
Don’t worry if you still need a bit of help get in touch with our experts for further information.