If you have data that could be a risk, on a security level or personal level, the answer is yes, you do need to complete a Data Protection Impact Assessment.
What is a Data Protection Impact Assessment (DPIA)?
The idea of a DPIA is to help you to reduce the level of data protection risk. Carry out a DPIA for all regulatory enquiries to ensure you are GDPR compliant.
Here’s our checklist of what it should include:
1. Processing Description
Give a complete description of what data you are storing and the reasons why you’re storing it.
- How did you get the data and how is it being stored?
- How many people are you expecting to hold data for?
- Are the individuals aware of how the data will be used?
- What are the reasons you are holding the data?
2. Management Discussion and Outcome
It’s a good idea to discuss the project with those who are responsible for the process. Raise questions about the reasons for capturing and storing the data and ensure that everyone is aware of their responsibilities for staying GDPR compliant.
3. Why the Data Processing is Required
This is where you explain the lawful basis for processing and storing the data.
- Is it clearly defined and does it meet the standards as required by GDPR?
- Is this the only way to achieve the process or is there another way you can do it without affecting the individuals’ rights?
- How will you ensure that the quality of data is accurate?
- What safeguards are in place to ensure data minimisation?
- How will you ensure the rights of the individuals you give information to?
4. Risk Analysis and Measure
What measures are you taking to minimize the risk of compromised data.
1. Write down as many risks that could affect the individuals. Think about what risks are associated to the data if it became compromised.
2. Put a level of risk associated, from no risk to high risk and what the harm could be.
3. Write down the measures that you have in place to combat that risk. Example: an explanation of security protocols in place to mitigate the dangers of the data being compromised.
TIP: Graphical descriptions are a good place to start.
The likelihood is that you have everything covered but putting together a Data Protection Impact Assessment is a way to double check you are GDPR compliant and minimise the possibility of a data protection risk. Keep the DPIA up to date by reviewing and updating every 3-6 months.
Need help capturing data that is GDPR compliant? LeadLabs tools make it easy. Find out more