DPIAs – Detailed Investigations

Do you know where to start?

A data protection impact assessment is an investment in the future of your data protection regime. It’s probably best to look at  it that way as there’s quite a lot of work involved in delivering one.

Understanding roles and responsibilities with respect to a DPIA is important. The data controller is planning the initiative that’s going to have the impact and at the end of the day will make the decision. The DPIA is an advisory document. It’s great if the DPIA is used to guide decision making, but in itself the DPIA does not give the go ahead nor stop a project.

Because each initiative is unique it’s hard to give a clear process to follow, but the overall objective is clear. You are seeking to ensure that there is no more risk to the rights and freedoms of data subjects following the initiative. It’s a big bonus if you can improve protection. This means that risk assessment is the major part of the task.

We’ve outlined some of the considerations you need to take as you go through the process. If you’re not the DPO for your organisation, you definitely need to get them involved in this process. There is no doubt that the DPIA is as much a team effort as the initiative being planned.