Clause 35 of the General Data Protection Regulation (GDPR) demands that a Data Protection Impact Assessment (DPIA) must be performed if the handling of data is high risk. Even though there isn’t any conclusive description of what high risk is, the Clause 29 Working Party has offered some guidance as to what kind of data handling might be regarded as high risk. This list contains topics like summarizing, automated decision making which has legal effects, the handling of confidential data and the use of latest technology. It must be noted that the use of latest technology doesn’t, on its own, create high risk.
What’s a DPIA?
A DPIA is a system that allows a company to determine the risk which is linked to the handling of data. It’s essential that this risk evaluation is performed, for high-risk data handling, because risks must be known and alleviated against, for a company to abide by the GDPR. If no alleviation appears possible, the company should refer to with the Lead Supervisory Authority (LSA), prior to processing the data.
There’s no exact detailed procedure concerning how a DPIA must be performed, however, the GDPR has specified certain things that must be incorporated in a DPIA. These matters are:
- A complete and systematic explanation of processing actions, and why they are utilized.
- A complete evaluation of whether data handling is required and fair.
- A complete evaluation of the dangers involved with the handling of the data.
- A documentation of what alleviations are in place, regarding the identified dangers.
To abide by Article 35 of the GDPR, there are specific procedures that are best practice for a company to carry out.
- Data checking so that the company is conscious of what data is retained, where it is retained, how it is processed and who is accountable for handling the processing.
- Deciding the best sort of evaluation for different areas, and kinds of data handling. This is essential because various assessments will be needed for various high-risk data kinds.
When a company has all of this info, it will then be best placed to perform DPIAs on the data that it handles.