In 2022, the Greek Data Protection Agency penalized a major telecommunications company for, among other things, an unsatisfactory data protection impact assessment (DPIA). If they had completed a proper assessment, they could have avoided all of the violations they had committed and avoided the hefty GDPR penalty. Learn about GDPR DPIAs here.
In February 2022, the Greek Data Protection Agency penalized a major telecommunications company for, among other things, an unsatisfactory data protection impact assessment (DPIA). If they had completed a proper assessment, they could have avoided all of the violations they had committed and avoided the hefty GDPR penalty.
The Danish Data Protection Agency fined the Elsinore Municipality for failing to conduct a DPIA. They used Google Workspace but never assessed the risks that came with it.
Explore more privacy compliance insights and best practices
You've probably heard of data protection assessments if you have to comply with the GDPR or another data protection rule. And you may be wondering if your business needs one. This article will provide you with information on:
After knowing all of this, you'll probably want to conduct a DPIA for your business because it's a useful tool for anyone who handles personal information.
The Data Protection Impact Assessment is a process by which the data controller assesses the risks associated with the processing of personal data.
The goal of GDPR is to protect people's personal data. It seeks to compel businesses to adopt a proactive approach to data protection; hence, some of them are required to assess all risks prior to initiating data processing. For this reason, some businesses must undertake a DPIA.
DPIA is necessary for some businesses. For others, it is a good practice that could reduce your risks related to data processing.
Article 35 of GDPR requires you to conduct a DPIA in the following situations:
These are the situations where DPIA is obligatory. Every EU Data Protection Agency must publish a list of the specified processing activities that require a DPIA. Here’s an example of the Irish blacklist of processing activities that require a DPIA.
If a DPIA is not required for your business, you will not be penalized if you do not conduct one. However, any business that processes personal data is strongly advised to undertake a DPIA.
It provides you with a comprehensive overview of your processing activities as well as the gaps you should focus on more closely. You may experience data breaches, fail to comply with data transfer laws, or unintentionally violate your users' rights by employing the services of non-compliant processors, regardless of how much data or what kinds of data you process.
You are at risk no matter what you do with data, and a DPIA could help you limit and mitigate those risks. Again, although not obligatory, it is a good practice for every business.
A DPIA can be carried out in several ways. You are free to conduct it in any way you see fit, as long as it achieves its purpose of assessing your risks and informing your data processing decisions.
If you are unsure where to begin, you can use the templates provided by various data protection agencies. Use them as guidelines or strictly as is - no commitments are imposed.
Your primary concern should be the proper assessment of risks, not the method.
To give you an idea of what the process can entail, below are a few steps for conducting a DPIA that could be helpful:
Remember that no one-size-fits-all DPIA template exists for all businesses, but you can use them as guidelines. Check out the templates from the United Kingdom ICO and the CNIL of France for ideas.
GDPR specifies the bare minimum that every DPIA must include, which is:
Remember that you can tailor the DPIA content to your company's specific needs. This is the absolute minimum it should contain, but feel free to expand it as much as you see fit. Some businesses conduct complex processing operations that necessitate a more thorough assessment.
Some businesses have been fined for not having one in place, while others have been fined for having a poor one. It is best to avoid penalties by making sure your DPIA is comprehensive.
Once you have the results of your DPIA, you must put the risk-reduction measures into action. The DPIA's purpose is to inform you of your risk mitigation activities, so this is the next logical step.
If you are unsure of what measures to take to mitigate the risks, you should contact the data protection agency and consult with them. You can explain your situation to them, and they will tell you what solutions are available and how to put them into action.
However, it doesn’t stop there.
You must review your DPIA on a regular basis to ensure that it is up to date with all of your recent changes in processing activities, especially if you:
You are free to update your DPIA in other cases as well - whenever you think it is fit.
Conducting or reviewing your DPIA before making any changes in processing activities is a good practice because it will quickly show you whether you are on the right track to compliance.
The key takeaway from this article is that you should conduct a DPIA. Even if it is not explicitly required of you, performing one is still a good practice. It will take some time, but it will only benefit your company.
Our free GDPR e-book provides a simplified step-by-step breakdown of the two laws to help you understand what you need to become compliant with the GDPR.
If you would like to have our data protection expert carry out a quick 'check-up' of your website, cookie consent banner, or your cookie policy, book a call today.
Schedule a call to learn more
