Published by the Information Commissioners Office in the UK.

At a glance

  • A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.
  • You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. You can use our screening checklists to help you decide when to do a DPIA.
  • It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
  • Your DPIA must:
    • describe the nature, scope, context and purposes of the processing;
    • assess necessity, proportionality and compliance measures;
    • identify and assess risks to individuals; and
    • identify any additional measures to mitigate those risks.
  • To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
  • You should consult your data protection officer (if you have one) and, where appropriate, individuals and relevant experts. Any processors may also need to assist you.
  • If you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.
  • If you are processing for law-enforcement purposes, you should read this alongside the Guide to Law Enforcement Processing.
  • The ICO will give written advice within eight weeks or 14 weeks in complex cases. If appropriate, we may issue a formal warning not to process the data, or ban the processing altogether.

Checklists

DPIA awareness checklist

The Full Article:

#DPIA, #GDPR, #EU, #ICO, #Data #Protection #Impact #Assessments,