Skip to content

When to carry out a DPIA: How to minimise risk, control your data, and be GDPR compliant

GDPR should, by now, be familiar to most organisations, but the concept of a Data Protection Impact Assessment (DPIA) is much less well-known. However, if you want to be sure your organisation is GDPR compliant then you will need to carry out a DPIA.

In the following, we’ll explain what a DPIA is, and why it’s so critical in helping you stay on the right side of GDPR.


GDPR and the fear factor

Compliance isn’t easy. The General Data Protection Regulation (GDPR) was designed to standardise data protection law and protect people’s privacy, but many organisations have been struggling to meet its requirements.

A major area of difficulty is in implementing the necessary measures to be GDPR compliant. Nevertheless, this is something organisations must overcome if they wish to avoid facing the consequences of non-compliance.

The key tool to help them do this is the data protection impact assessment or DPIA. The DPIA hasn’t made the headlines in the same way as GDPR, but it is central to good data control and risk management.

There’s a certain fear factor that comes with GDPR. This is because its most publicised aspect is the fines non-compliance attracts, which can be up to 5% of an an organisation’s global turnover!:

  • Google was fined £43 million in 2019
  • H&M faced a £32 million fine in 2020
  • Telecom Italia was fined £24 million in 2020
  • As was British Airways in the same year, for £20 million, and
  • Marriott Hotels, for £18 million.

Obviously, these are the big-hitting headlines, but the fines for non-GDPR compliance can be significant whatever size your company is. 

While these fines are a necessary part of the compliance regime, they add to the pressure organisations face in controlling their data, and gaining the necessary confidence to manage it knowing that they’re complying with requirements.


Does GDPR still apply post-Brexit?

Brexit has added to uncertainties over GDPR. You might be uncertain whether it still applies, for example. 

The answer is complex: it doesn’t, but it does. Legally, GDPR no longer applies to the UK, because it’s an EU regulation. However, if you operate inside the UK, you will still need to comply with data protection law, which currently matches GDPR word for word.  

Therefore, in practice, you must still be GDPR-compliant.


What does GDPR say about data?

 The type of data at the heart of GDPR is personal data. Some of this is obvious, such as a person’s name, location, or username. But it can also include things such as IP addresses and cookie identifiers.

Personal data is data that allows someone to be identified. The key issues that GDPR, and UK data protection law, address are: 

  • Using personal data, and
  • Storing it.

The Information Commissioner’s Office (ICO) is the independent organisation authority that upholds information rights in the public interest. It says:

You should identify the minimum amount of personal data you need to fulfil your purpose.

 Therefore, an organisation should only hold this amount of information and no more.

Organisations shouldn’t overreach when it comes to collecting data about people, and they must protect this data from unauthorised or unlawful processing.

This is where the crux of much GDPR enforcement and non-compliance lies, that is how securely organisations store personal data. Therefore, they need a way to assess and demonstrate their approaches, processes, and methods for this.

This is where a DPIA comes in.


What is a DPIA?

A data protection impact assessment (DPIA) is a process that systematically analyses, identifies, and minimises your data protection risk.

Whilst it doesn’t eliminate or minimise it, a DPIA helps you understand your risk. 

Under GDPR, undertaking a DPIA is therefore a key part of your accountability.

 ICO sets nine criteria, and if you trigger any two of them, you should then carry out a DPIA. These criteria apply to what ICO calls high-risk processing.

The nine criteria are:

  1. Evaluation or scoring of data
  2. Automated decision making, with legal or similar effects
  3. Systematic monitoring
  4. Data that is sensitive or of a highly personal nature
  5. Large-scale data processing
  6. Matching or combining datasets
  7. Data on vulnerable data subjects
  8. Innovative applications or applying new technological or organisational solutions
  9. Preventing data subjects from exercising a right, or using a contract or service.

Generally, a combination of any two of these criteria applied to your data collection, processing and storage activities, will mean that you need to undertake a DPIA.


What does a DPIA involve?

 Managing data is complex, and consequently carrying out a DPIA can be complex too. 

The key elements in the DPIA process are:

  • Describing the processing operation and its purpose
  • Assessing the necessity and proportionality of the processing – whether it meets the minimum amount that ICO recommends
  • Assessing the risks to the rights of your data subjects, including risks to both privacy and data protection rights
  • Deciding what measures you can implement to mitigate these risks.

There isn’t a prescribed way of carrying out a DPIA, but it will need to be both diligent and comprehensive to meet ICO requirements.


What are the benefits of a DPIA? 

The DPIA is a practical tool to help you understand the personal data you hold, a way to understand the risks of holding and processing that data, and a way of ensuring that you have thought about all aspects of that data. 

If the worst were to happen and you suffered a breach, you would have to disclose it to ICO. You’ll need to show a clear decision-making trail regarding your data management. By having the results of a DPIA to hand, you can demonstrate this to ICO. 

More than this, however, the DPIA is a valuable discovery process for all companies involved in collecting, processing and storing personal data. It should be a fundamental pillar of your business, because, ultimately, it can better protect your interests and those of your customers. 


The Isotoma approach to DPIAs

With our ISO 27001 certification for information security management, we will routinely but diligently conduct DPIAs for all our clients, providing you with a systematic framework to help ensure your data compliance. 

For more details, please contact the Isotoma team today.