When and How to Conduct a Data Protection Impact Assessment

5 minute read

In the first half of 2021 alone, there were 1,767 publicly reported data breaches exposing a total of 18.8 billion records. Due to these alarming figures, the stress of being breached is very real and data privacy is of an increasing concern to organizations. They are charged with ensuring that the personal data in their possession is protected against malicious cyberattacks.

This is where the Data Protection Impact Assessment (DPIA) comes in. The DPIA is a standardized process for organizations to conduct an extensive analysis of their data processing systems, and to identify and minimize data protection risks. While DPIAs are a legal requirement under the GPDR for high-risk data processing, it also promotes compliance along with financial and reputational benefits as it demonstrate your commitment to data protection among your customers and other stakeholders.

Here are some things you should consider when you implement a DPIA for your organization.

When to conduct a DPIA?

A DPIA must be conducted prior to any type of processing that involves high risks. This not only puts you in a better position to deal with cybersecurity issues, but it also gives your target audience a peace of mind that you have done the due diligence to protect their data.

The UK GDPR states that you must conduct a DPIA if the data you’re processing has significant societal effects, is conducted publicly and on a large scale, or has to do with criminal offense data. However, it is recommended that you conduct a DPIA regardless of the perceived scale or severity of cyber-attacks in your organization.

If you’re unsure of what processing constitutes high risks in your organization, consider these types of data processing that are required under European law to conduct a DPIA plan:

  • You use innovative technology
  • You use profiling or special category data to determine access to services
  • You profile a large scale of personal data
  • You process biometric or genetic data
  • You match or combine data from various sources
  • You conduct invisible processing: data collection from a source other than the individual
  • You use location tracking or behaviour statistics
  • You profile children and market advertisements or services to them
  • You process sensitive data that has implications on the individual’s health and safety if a security breach happens

How should you conduct a DPIA?

According to the Information Commissioner’s Office (ICO), a DPIA should contain the following steps:

  1. Determine the need for a DPIA
  2. Describe the data processing
  3. Consider having a consultation
  4. Analyze the need and scale
  5. Identify and analyze risks
  6. Identify mitigation strategies
  7. Document outcomes
  8. Incorporate outcomes into an action plan
  9. Continuous reviews

The DPIA can be applied to just one aspect of your data processing system, or it can be applied to a group of similar processes, known as a joint DPIA.

The key to an effective DPIA is to step 9, to conduct reviews of the plan regularly. This should not be one of those SOPs that collects digital dust somewhere in the organization’s cloud storage. The digital world is constantly updating itself. Likewise, your risk factors and mitigation strategies should be updated regularly to reflect the latest cyber risk trends.

With more data collected and stored online, data protection and privacy policies must be normalized in every organization. A great place to start is with Dathena’s Data and User Risk Assessment solution. It allows you to map users within your organization that have access or handle highly sensitive business data and ensures that it isn’t shared with unauthorized individuals. Dathena helps you determine how sensitive data is being distributed in your organization and gives you a head start at designing a robust cybersecurity and data protection framework.


Related Posts

To read more of data security and governance stories, choose from similar blog posts below.

Don’t Assume Remote Employees Are Following the Rules

National Cybersecurity Awareness Month is here, and in the era of remote working there’s never been a better time to focus your energies on eliminating vulnerabilities... Read More

Take Control of Your Data: Prevent Data Breaches

In today's modern workplace, data breaches have become the new normal and organizations are struggling to enforce data privacy and security measures. Read More

Data Protection Checklist

8 Simple steps towards full data protection Data protection is one of those areas that everybody needs to engage with. In extreme cases, the consequences of not doing so... Read More

Subscribe to email updates

Subscribe for the latest updates