How to conduct a data protection impact assessment

GDPR in Practice: Compliance and Fines

Mamnoon Hadi

Head of Analytics & Insights at Readdle

What is a DPIA?

 

  • A DPIA is a tool to identify and mitigate privacy risks in data processing activities
  • Article 35 of the GDPR mandates DPIAs for high-risk data processing
  • Failure to conduct a DPIA when required can lead to regulatory fines and enforcement actions
GDPR in Practice: Compliance and Fines

Why conduct a DPIA?

 

  • Ensure compliance: demonstrates adherence to GDPR requirements

 

  • Identify and mitigate risks: identifies privacy risks and implements safeguards
  • Build trust: helps protect individuals' rights and enhances organizational credibility
  • Improve decision-making: supports informed choices about data protection strategies and impact assessment outcomes
GDPR in Practice: Compliance and Fines

When is a DPIA required?

 

High-risk processing activities:

  • DPIAs are necessary when processing is likely to result in high risks to individuals' rights and freedoms

Examples of high-risk processing:

  • Processing sensitive personal data (e.g. health information)
  • Large-scale profiling or automated decision-making
  • Systematic monitoring of publicly accessible areas (e.g. surveillance)
GDPR in Practice: Compliance and Fines

Key steps in conducting a DPIA

 

Step 1: describe the processing activity

  • What data is being processed and its purpose?
  • Who is involved in processing?

 

Step 3: identify and mitigate risks

  • What are the risks to individuals' privacy rights & how to mitigate?

 

Step 2: assess necessity and proportionality

  • Is the processing necessary for the stated purpose?
  • Are the data collection methods proportionate?
GDPR in Practice: Compliance and Fines

Risk assessment in DPIA

 

Definition of risk assessment:

  • Identify the likelihood and severity of risks related to data processing

 

Risk mitigation strategies:

  • Implement technical measures (e.g. encryption)
  • Vet third-party vendors for GDPR compliance

 

Risk factors:

  • Severity of potential harm (e.g. data breach, unauthorized access)
  • Probability of risk occurrence
GDPR in Practice: Compliance and Fines

Conclusion

 

Summary:

  • DPIAs are essential for ensuring GDPR compliance
  • The process involves identifying and mitigating privacy risks

  • It helps build trust and protect individuals rights

  • Ensure that DPIAs are conducted for high-risk processing to avoid potential non-compliance issues

GDPR in Practice: Compliance and Fines

Let's practice!

GDPR in Practice: Compliance and Fines

Preparing Video For Download...