Whilst this might seem like a very specific circumstance, in our experience the failure to carry out a DPIA when required is relatively common. In addition, organisations often overlook the benefits that can flow from voluntarily carrying out a DPIA.
A DPIA is a documented process to identify and minimise the data protection risks associated with a project or plan. There are certain points that a DPIA must cover, for example:
However, DPIAs do not have to be long and detailed. Depending on the risks associated with a project, a more light touch approach may be appropriate.
DPIAs are a core part of the GDPR requirement to demonstrate your organisation's compliance. They are not a one-off exercise and a DPIA should be updated as new information comes to light. Nor are they a tick box exercise because each DPIA should be tailored to the specifics of the project.
Under the GDPR, a DPIA must be carried out before starting to process personal data in a way that is likely to result in a high risk to individuals.
The ICO has published a non-exhaustive list setting out ten types of processing for which a DPIA will always be required. This list includes certain processing that involves genetic and biometric data. In addition, the European Data Protection Board has set out criteria that may be applicable.
There are many benefits of carrying out a DPIA which means that it can be worth doing one even if it is not strictly required. For example:
DPIAs have been one of the cornerstones of data protection compliance since the GDPR started to apply and are only likely to increase in importance as organisations use personal data in ever more complex and innovative ways.