How can DPIA’s or data protection impact assessments help your business?
You have completed your article 30, you know the legal basis for processing and you have reviewed your consent. Then your Data Protection Officer says that you need to do a risk assessment. The dreaded DPIA….data protection impact assessments.
We hear that and roll our eyes and think oh good some more data protection related work which is just a tick in the box. These data protection impact assessments are a legal requirement, we have to do them anyway, but I promise you, done properly they are so useful.
When do we need to do this?
Ideally they should be completed before a decision that effects the way you process your data, but they can check the data decisions that you have made allowing you to adjust as required.
By looking at all the actions that we do with the data: collecting, transferring, accessing, storing and deleting we will make sure that we are aware of the all risks. This will take some naval gazing, some coffee and process review but this will be time very well spent. It will often shed light on areas of the business where you didn’t know the whole story.
We can then see what changes are needed, eg adding role based access to your new staff starter process.
The ICO has some great resources and a big section on this: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/
The 4 T’s
We can then decide do we: treat, transfer, tolerate or terminate? Quite often the solutions will come down to having less data, letting less people see it and keeping it for less time. Let’s make that DPIA work for you.
I do a checklist on mine with completion cells that I turn red and green with the current status addressing:
Data minimisation, have you deleted the data sets that you don’t need? Have you updated your privacy notices?
Have you ensured the processing purpose is limited?
Limited the storage?
Ensured the appropriate security in place?
Has it been signed off and approved?
The final thing is to implement the changes you have made and make it part of your project plan.
The supposedly scary DPIA can really help and help remove some of the emotions involved in those big data decisions and helps you look at your business holistically.
Need to know more?
My answer to the question: How can DPIA’s or data protection impact assessments help your business? They are legal requirement which allows you to reduce risks and fines for your business by making the right data decisions.
If you don’t know if you need to complete one or don’t know where to start…do get in touch….I do a free gdpr health check too. 🙂