• About us
  • Pricing
  • Services
    • Consultancy
    • Training
  • Partners
  • Resources
  • Contact
  • Login
  • Try for FREE
Will writers GDPR questions answered
Calling will writers… your GDPR questions answered
February 15, 2019
More will writers GDPR questions answered
May 2, 2019
March 8, 2019

When do I have to carry out a Data Protection Impact Assessment?

Whether you are already GDPR compliant or on the journey to becoming compliant you need to familiarise yourself with data protection impact assessments (DPIA) and ensure that you carry one out for all the data you process and the different tasks your business carries out. But what is a DPIA and how do you go about completing one?

What is a data protection impact assessment?

A Data Protection Impact Assessment (DPIA) or also known as a Privacy Impact Assessment (PIA) is a tool for identifying how your work might impact on people whose data you’re using. From the perspective of the General Data Protection Regulation (GDPR), your primary concern is:

  1. What will be the privacy impacts of this work? and
  2. How will I ensure privacy is maintained?
Carrying out a DPIA is a straightforward process but you need to think about the types of information you’re using and what could happen if you lost control of them.

fancycrave-264508-unsplash crop
A good DPIA will help you sort out the sensitive data that you must protect carefully from day-to-day contact information that is less of a worry.

When might I need a DPIA?

A DPIA is the first thing you should do when starting a new project, to make sure you give privacy considerations a high priority.

A new project might require you to handle new personal information, for example, one Astrid client wanted to start working with social media influencers but needed to gather information on them. The DPIA helps the organisation to understand what kinds of information are involved and what the impacts of mishandling that information might be. In this example, the aim was only to use information that influencers had already put onto social media – so the impacts of publishing or losing the information are really quite low.

Do I need to do a DPIA for personal data I’m already processing?

If you don’t have a data protection impact assessment in place for work you’re already doing, then we recommend you start on one right away. Without a DPIA, you can’t be sure you’re in control of the personal data your business uses. The DPIA will identify the biggest potential problems so you can focus on managing those risks first.

We recommend that you look out for areas where you process data that’s either ‘special category’ or could put people at risk of financial or reputational loss. Special category data is sensitive personal data such as racial origin and religious beliefs - it is prohibited to process this data unless particular grounds for processing it is met. Businesses such as legal and financial services, professional healthcare and wellbeing services face particular risks as losing sensitive client information could have significant impacts on client’s lives. Performing a DPIA as quickly as possible will highlight these risks and help you manage them.

How do I complete a data protection impact assessment?

Whatever your business, Astrid has simple tools and guidance you can use to get a DPIA in place and tackle any issues you identify. By completing tasks 2, 3 and 5 in the first stage of our process, you have performed a comprehensive DPIA. Astrid also has all the guidance you need to review DPIAs and make sure they’re up to date. Register for Astrid today.

Further reading

You can find out more about data protection impact assessments on the ICO website but we think the ICO’s guidance is too complicated for small businesses which is why Astrid simplifies it!


Protect your business - become and remain GDPR compliant with Astrid

 
Subscribe today
 
Share
Emma Oram
Emma Oram

Related posts

February 24, 2022

GDPR and CCTV cameras in vehicles – are you still compliant with data protection laws?


Read more

Leave a Reply Cancel reply

You must be logged in to post a comment.

Astrid Data Protection Ltd.

24 John Clare Close
Brackley
Northamptonshire
NN13 5GG

Useful links

  • Home
  • About us
  • Pricing
  • Services
  • Partners
  • Resources
  • Contact
  • Privacy notice
  • Cookie policy
Company number: 11166227 - ICO registration: ZA310233 - © 2018 Astrid Data Protection Ltd.
Astrid Data Protection Ltd uses cookies on this website. Some are essential, others improve functionality and track your use of the site to help us improve it. You can reject the functionality and tracking cookies using the Reject button. To find out more read our cookie policy. Accept Read More Reject
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT