I’ve come across a situation where companies were being sold expensive consultancy services on the pretext that if they have a Data Processing Impact Assessment (DPIA) then they are compliant. I don’t even know where to start explaining on how many levels that is wrong.
- DPIA is not required by everyone.
- It does not automatically make you compliant.
- It’s not rocket science and most companies going through GDPR have done this albeit not knowing what it’s called.
I’m going to keep this post short and simple.
The DPIA is not required by everyone. Quoting the guidelines from the Maltese IDPC
[dt_highlight color=”” text_color=”” bg_color=””]“In line with the risk-based approach embodied by the GDPR, carrying out a DPIA is not mandatory for every processing operation. A DPIA is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1))”[/dt_highlight]
Where high risk to the rights and freedoms of natural persons is defined as
[dt_highlight color=”” text_color=”” bg_color=””]“…the reference to “the rights and freedoms” of data subjects primarily concerns the rights to data protection and privacy but may also involve other fundamental rights such as freedom of speech, freedom of thought, freedom of movement, prohibition of discrimination, right to liberty, conscience and religion.”[/dt_highlight]
They were also kind enough to provide a diagram, to avoid doubt. As well as some practical examples on pages 11 and 12 with indications as to what kind of data processing would require a DPIA and those which would not.
Onto point 2, this being the implication that having a DPIA makes you compliant. Nope not on it’s own. Even if you require a DPIA, it doesn’t mean you’ll be compliant. It is only one of the measures required for compliance.
In addition to those that try and sell you a DPIA form or methodology as the road to salvation are clearly exploiting a business opportunity. Yes there are guidelines but not one format or methodology. You can even devise your own as long as it meets the criteria set by the IDPC or the ICO of your country.
One more thing, just because you do not need a DPIA or have completed yours, we all know that GDPR does not stop after the 25th of May. So if your business starts building a new service or new product, it is still your duty to evaluate if you will require a DPIA for the new processing activity and conduct it if required. Hence it would be best if you do add a step in your processes for new services and new products to determine whether it would require a DPIA or not.
Onto my last point. It’s not rocket science. We’ve all been doing it to one level or another. We’re all assessing the risks and impact of any form of personal data that we’re storing or processing. The British ICO’s guidelines even provide you with steps on how to go about it. So even if you do need to conduct a DPIA, no need to panic you most probably already have all the information at hand.
Would you like be notified when new posts come out? Drop us a note via the contact us section and we’ll add you to our mailing list.