Step 1: Identify the need for a DPIA
A DPIA is needed when there is a potential high risk for the people whose data you are holding. A high risk can be understood as, for example, systematic and extensive profiling, large-scale use of sensitive data, or public monitoring. The reasons can be many, but as stated by the ICO: “If in doubt, then you should probably do a DPIA”.
Even if you do not have to do a DPIA, you still need to run through step 2 - 7 to make sure you comply with your obligations to keep a ROPA (Register of Processing Activities). However, it can be less extensive.
Step 2: Describe the processing
Once you’ve determined that you probably need to conduct a DPIA, it’s time to map out, step by step, what you will do with Ms. Brown’s data that you collected when she became a member of your organisation. How do you store it? Who has access to it? As well as the bigger picture: Why do you process this data? You need the nature, scope and context of your processing activity.
This step also helps you stay on top of your ROPA and comply with article 30 of GDPR.
Step 3: Consider consultation
This is where it gets a bit more comprehensive. However, it is an extremely important step. You should seek the opinion of the people, whose data is involved. What is Ms. Brown most concerned about when sharing her personal data with you? Design a consultation process to seek the views of those particular individuals or their representatives.
Step 4: Assess necessity and proportionality
Consider how you ensure data protection compliance. What is your lawful basis for processing? Does the processing achieve your purpose?
Again, this step is also crucial for managing your ROPA.
Step 5: Identify and assess risks
Risks play a crucial role in data protection. Whether you are obliged to do a DPIA or not, you should always assess and identify risks associated with the new system and the processing of data.
What is the worst thing that can happen to your data subject? Loss of control over one's data? Discrimination? Identity theft? Physical harm? You need to consider both the likelihood and severity of possible harm.
Step 6: Identify measures to mitigate the risks
In step 6 you describe how you are going to prevent harm from happening. Maybe it's deciding not to collect certain types of data, or maybe it's taking additional technological or organisational security measures. Ask your DPO for advice on this matter.
Step 7: Sign off and record outcomes
You have made it to the (tentative) end of your DPIA process. Remember that you do not always have to eliminate every possible risk. You may decide that some risks, and even a high risk, are acceptable given the benefits of the processing and the difficulties of mitigation. Get your DPO’s advice before signing off.
That’s it. You are now one step closer to creating a safe environment for the data of your subjects and ensuring sustainable compliance in your organisation.
Book a demo to see the workflow in practice.
Mastering the DPIA process - register for a free Masterclass
The DPIA process is crucial whenever your organisation considers a new system or a new process. We’ve created an online Masterclass in mastering it. You’ll learn how to set up your organisation for the process, how to collaborate with your organisation and how to do the individual steps effectively. The Masterclass is divided into two online courses, each consisting of one-hour sessions.
Sign up to the Masterclass here:
Masterclass I - Tuesday April 9: Diving into the steps to take
Masterclass II - Thursday April 25: Seuring buy-in and collaboration
For more inspiration, read this example of a completed DPIA
