A Data Protection Impact Assessment is a risk assessment in respect of the effects of data collection and processing on the data subject.
GDPR makes it compulsory to complete a DPIA if the processing of personal data is “likely to result in a high risk to the rights and freedoms of natural persons”. Such a risk includes where there is a possibility of disclosure of data (intentionally or by way of data breach) or where the use of the data has an impact on the data subject.
Even when a DPIA does not appear to be mandatory, it is always a good idea to complete the impact assessment on the occurrence of certain events, in order to be able to demonstrate GDPR compliance if an issue should ever arise and to ensure that your organisation is following best practice in relation to the privacy of your staff, customers and others. I would regard the following events as being a trigger to a DPIA:
– Opening a new business;
– The beginning of any new project involving personal data;
– If you begin collecting or processing special category data;
– If you begin to use data in a new way;
– The beginning of any direct marketing campaign;
– A new relationship wherein you will be passing data to a third party;
– Use of new software or IT;
– Employing a number of employees or creating a new category of employee;
– Every few years to ensure continuing good practice.
The DPIA involves describing the data processing activity, assessing the necessity and proportionality of the processing, identifying and assessing the risks to the rights and freedoms of individuals and stating the measures that will be taken to mitigate the risks. It involves compliance with approved codes of conduct. The DPIA is a living document and you will likely refer to it often, and use it as a guide for your data processing activities.
The above is intended for information purposes only, and is not intended to be relied upon as legal advice Please contact us on 01- 6763257 for advice specific to your needs. We, at Fitzsimons Redmond LLP are happy to work with you to develop a robust DPIA for your business.
By Lisa Quinn O’Flaherty
Solicitor at Fitzsimons Redmond LLP