Data Protection Impact Assessments (DPIA) (formerly known as Privacy Impact Assessments) have been a best practice requirement but since the introduction of GDPR from 25th May 2018, under Article 35 there is now a statutory requirement to undertake these where necessary.
The law states that DPIAs are required where an organisation is proposing to process personal data in a way that could present a ‘high-risk’ to data subjects. The law does not define ‘high-risk’ particularly well therefore until detailed regulator guidance is produced or case law provides guidance there is an element of judgement to be exercised when deciding whether a DPIA is required.
ARU therefore makes an initial assessment of proposed new or changes to existing data processing a key part of IT project and Procurement management processes.
The first step in conducting an initial DPIA screening process to decide whether a full detailed DPIA is required. The Initial Assessment form should be completed by the initiator.
The DPO will discuss further with the initiator if required and will then decide whether a full scale assessment is required. The Data Protection Officer will complete the full DPIA process if it is required to be undertaken.
DPIAs are a tool to help organisations identify, assess and mitigate or minimise privacy risks with data processing activities. They’re particularly relevant when a new data processing process, system or technology is being introduced.
A DPIA is a key component of a 'Privacy by design' approach to a project or other personal data processing activity. 'Privacy by design' is an essential tool in minimising privacy risks and building trust with Data Subjects and partners. The Information Commissioner's Office (ICO) encourages organisations to ensure that privacy and data protection is a key consideration in the early stages of any initiative, and then throughout its lifecycle. DPIAs also support the accountability principle, as they help organisations comply with the requirements of the General Data Protection Regulation (GDPR) and demonstrate that appropriate measures have been taken to ensure compliance.
Failure to adequately conduct a DPIA where appropriate is a breach of the GDPR and could lead to fines of up to 2% of an organisation's annual global turnover or €10 million – whichever is greater.
The GDPR mandates a DPIA be conducted where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”. The three primary conditions identified in the GDPR are:
A DPIA should be completed for new initiatives or for changes to existing systems or processes. It may also be a recommended outcome from a formal investigation into an information security incident or weakness at the University. A DPIA must be considered for all research projects that use special category data or involve the processing of large volumes of data.
Embedding data privacy features into the design of projects can have the following benefits:
ARU’s Data Protection Officer has overall accountability for ensuring that DPIAs are completed for high risk personal data processing initiatives. Responsibility for ensuring that a specific DPIA is completed lies with the individual responsible for the initiative, such as:
The Data Protection Officer will retain a central log detailing all completed DPIAs. The individual responsible for the initiative should retain a copy of the completed DPIA with the master being held by Secretary & Clerks Office for audit purposes and to be able to demonstrate compliance with legislative requirements should a query be raised. This must be approved by the Data Protection Officer to be considered valid.