What’s a DPIA? Do I need them?
You may have heard the term data protection impact assessments. What is a DPIA?
DPIA’a are a very useful tool that GDPR consultants use to identify breach risks, when dealing with personal data.
They are required by law and are carried out when:
- There is a new project/workstream
- The project collects new personal data
- The project asks people to provide personal information
- When personal data could be accessed by organisations or people, who haven’t had routine access to this before
- When you use personal data for a purpose it is not currently used for, or in a way it is not currently used
- The project involves you using new technology which might be regarded as being privacy intrusive
- The project results in you making decisions or taking action against individuals in ways which could have a large impact on them
- If the personal data is of a kind particularly likely to raise privacy concerns or expectations
- The project requires you to contact people in ways which they may find intrusive
What is a DPIA?
We at TCS use a very comprehensive excel spreadhseet to complete DPIA’s, which look at all the actions that applies to personal data.
Such as:
- Collection
- Access
- Storage
- Transmission
- Deletion
We also consider the privacy risks and what steps are taken to reduce these to a minimum. We prioritise these, which depends on the data and the individual organisation’s attitude to risk.
What would this mean for me?
Say for example you need to access DBS checks on employees on an annual basis. You cannot store these, but you can access them without holding details. The privacy risk is that information of a very sensitive nature could be seen by unauthorised staff or perhaps unwittingly published. Like the Honours List breach. This would be a data breach that would require reporting to the ICO.
Need more information?
There is a comprehensive guide here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/
If you are unsure if you need to complete DPIA’s, or have any questions we are happy to help and advise! We are qualified, experienced and have completed many, many of these. They just need care, attention and strong coffee. We look at what data you have. Then complete data flows and a data inventory to highlight areas that need extra care.
If you are still unsure what a DPIA is then we can help.
Just get in touch: https://trustedcompliancesolutions.co.uk/contact