When and How to Conduct a Data Protection Impact Assessment

5 minute read

In the first half of 2021 alone, there were 1,767 publicly reported data breaches exposing a total of 18.8 billion records. Due to these alarming figures, the stress of being breached is very real and data privacy is of an increasing concern to organizations. They are charged with ensuring that the personal data in their possession is protected against malicious cyberattacks.

This is where the Data Protection Impact Assessment (DPIA) comes in. The DPIA is a standardized process for organizations to conduct an extensive analysis of their data processing systems, and to identify and minimize data protection risks. While DPIAs are a legal requirement under the GPDR for high-risk data processing, it also promotes compliance along with financial and reputational benefits as it demonstrate your commitment to data protection among your customers and other stakeholders.

Here are some things you should consider when you implement a DPIA for your organization.

When to conduct a DPIA?

A DPIA must be conducted prior to any type of processing that involves high risks. This not only puts you in a better position to deal with cybersecurity issues, but it also gives your target audience a peace of mind that you have done the due diligence to protect their data.

The UK GDPR states that you must conduct a DPIA if the data you’re processing has significant societal effects, is conducted publicly and on a large scale, or has to do with criminal offense data. However, it is recommended that you conduct a DPIA regardless of the perceived scale or severity of cyber-attacks in your organization.

If you’re unsure of what processing constitutes high risks in your organization, consider these types of data processing that are required under European law to conduct a DPIA plan:

  • You use innovative technology
  • You use profiling or special category data to determine access to services
  • You profile a large scale of personal data
  • You process biometric or genetic data
  • You match or combine data from various sources
  • You conduct invisible processing: data collection from a source other than the individual
  • You use location tracking or behaviour statistics
  • You profile children and market advertisements or services to them
  • You process sensitive data that has implications on the individual’s health and safety if a security breach happens

How should you conduct a DPIA?

According to the Information Commissioner’s Office (ICO), a DPIA should contain the following steps:

  1. Determine the need for a DPIA
  2. Describe the data processing
  3. Consider having a consultation
  4. Analyze the need and scale
  5. Identify and analyze risks
  6. Identify mitigation strategies
  7. Document outcomes
  8. Incorporate outcomes into an action plan
  9. Continuous reviews

The DPIA can be applied to just one aspect of your data processing system, or it can be applied to a group of similar processes, known as a joint DPIA.

The key to an effective DPIA is to step 9, to conduct reviews of the plan regularly. This should not be one of those SOPs that collects digital dust somewhere in the organization’s cloud storage. The digital world is constantly updating itself. Likewise, your risk factors and mitigation strategies should be updated regularly to reflect the latest cyber risk trends.

With more data collected and stored online, data protection and privacy policies must be normalized in every organization. A great place to start is with Dathena’s Data and User Risk Assessment solution. It allows you to map users within your organization that have access or handle highly sensitive business data and ensures that it isn’t shared with unauthorized individuals. Dathena's data risk assessment tool helps you determine how sensitive data is being distributed in your organization and gives you a head start at designing a robust cybersecurity and data protection framework.


Related Posts

To read more of data security and governance stories, choose from similar blog posts below.

Managing Data and Users at Risk for the Modern Workplace

Like many other security and IT professionals, you may struggle to identify your organization's at-risk data. Where is it? Who shares it? Who can access it? Read More

Remote Work Is a Risky Business; How Dathena Helps You Identify and Assess Risks in the WFH Era

The COVID-19 pandemic has led millions of people to shift to remote work — and in the process, it has created major new security vulnerabilities for their employers.  Cloud... Read More

Feeling Exposed? Blame External File-Sharing

Nobody wants to have their data stolen by hackers or targeted by a ransomware attack — but at least when such disasters occur, the victims usually know they’ve been attacked.... Read More

Subscribe to email updates

Subscribe for the latest updates