A breach of the General Data Protection Regulation (GDPR) could lead to regulatory fines of up to 4% of your organisations annual global turnover of the previous fiscal year, or €20 million – whichever is greater.
If those numbers scare you (as they should), it's important to follow protocol to ensure your business remains compliant.
Data protection impact assessments (DPIAs) are mandatory for high-risk data processing under the GDPR, but how exactly do you conduct one?
Keep reading as we reveal the essential steps of a DPIA process.
What Is the Purpose of a DPIA?
DPIAs are just one component of the GDPR's current risk assessment lineup.
A DPIA seeks to look at how your organisation processes data and how such processes may put the rights of individuals at risk. It's a process for building and demonstrating compliance and encompasses the process of evaluating the "origin, nature, particularity, and severity" of risk.
Essential Steps of a DPIA
If you must perform a DPIA, you should begin early in the life of your project.
You should conduct the assessment before you start processing data. It should run adjacent to the planning and development process and include the steps outlined below.
Describe How You Will Handle Data
First, describe how you will handle data throughout your project. You should be as thorough as possible in analysing your data processing actions from beginning to end.
Outline the Scope of Processing
Then you will outline the extent to which your organisation will process data. You must describe the types and quantity of data in detail.
Express Your Purpose
Next, you must describe what your organisation's project is expected to achieve through processing data. What are the benefits for your organisation as the data controller, and how will this affect consumers?
Consider the Context
At this stage, think about the ways this data processing may your data subjects and show that you've put thought into this stage of the process.
Report Proper Consultation
When possible and appropriate, you must consult with consumers on their views about your project. Depending on the project, you may also have to consult with data processors, your Data Protection Officer, or information security experts.
If these consultations take place, you must report and record them at this point in the assessment.
Address Specific Compliance Measures
You will need to address GDPR compliance from the beginning of your project. Here, you'll analyse whether data processing activities are compliant with all international privacy laws.
Evaluate Data Protection Risks
Perhaps the most important step in a DPIA, this is where you'll analyse data protection and privacy from all angles. List and consider all potential threats to data security and privacy.
Formulate Risk Mitigation Strategies
Next, you will formulate solutions and risk mitigation strategies to lessen or eliminate risks you identify in the assessment phase. It's important to understand what impacts processing is likely to result. You must address each potential risk you listed earlier in the process.
Approval and Sign-Off
Finally, you will confirm that the DPIA's evaluations, findings, and strategies have approval from all appropriate parties. Who will approve your assessment will differ according to your company and the projects involved, but a supervisory authority can ask for a copy of your assessment.
We're Here to Simplify the DPIA Process
Conducting a DPIA can be a murky, confusing process, but they're designed to be flexible and scalable to your organisation. You can design a process that fits with any existing processes in place to manage project risks.
Throughout the process, you should consult with a professional as needed. Dapple exists to help you make better privacy decisions. Let us help you conduct your next data privacy impact assessment. Sign-up to get started.
Get started on your Data Privacy Impact Assessment today!