All too often, project managers are hit with a DPIA - a Data Protection Impact Assessment - request from IT that needs to be completed to pass internal governance.
But what does a DPIA mean exactly and what is it for? In this blog post, we address the main doubts and concerns about it.
- What's a DPIA?
- Why are DPIAs important?
- What risks do DPIAs assess?
- DPIA and software systems purchase
What is a DPIA?
The Data Protection Impact Assessment (DPIA) is a process designed to help you systematically analyse, identify and minimise the data protection risks of a project or plan.
It is a key part of your accountability obligations under the UK GDPR, and when done properly helps you assess and demonstrate how you comply with all of your data protection obligations.
Although it does not eradicate all risks, a DPIA will help you minimise and determine whether or not the level of risk is acceptable in the circumstances, taking into account the benefits of what you want to achieve.
Why are DPIAs important?
Conducting a DPIA is a legal requirement for all organisations when processing any type of data that is likely to result in a high risk to the rights and freedoms of an individual.
Should a DPIA fail to be completed, it could leave an organisation open to enforcement action, including fines of up to £8.7 million, or 2% global annual turnover (if higher) under the UK’s GDPR.
The use of a DPIA will increase your awareness of privacy and data protection issues and it will ensure that all relevant staff involved in the project are thinking about data protection by design at an early stage.
It will also enable you to consider what personal data is actually required and why.
A DPIA is a living document that you should always re-visit to help you manage and review the risks of processing data and the measures you have put in place.
If you choose to change how or why you process personal data or increase the amount of data you collect, you need to show that your DPIA assesses any new risks.
What ‘risks’ do they assess?
There are no explicit definitions of risk in UK GDPR, however, it does state that provisions should be considered based on the risks of privacy and data protection and the rights and freedoms of an individual.
Any data processing that may result in physical, material or non-material damage such as identity theft, financial loss, damage to reputation or loss of confidentiality of personal data needs to be protected.
All risks need to be assessed, and you must consider:
- What data needs to be collected?
- How will the data collected be accessed?
- Where will data be stored?
- And who will have access to this data?
All these questions need to be answered as part of your DPIA risk assessment.
DPIA and software systems purchase
If you're considering purchasing a SaaS product, you should start your DPIA as soon as possible, early in the process.
By doing so, you can take all risk factors into account whilst in the development stage.
Remember, the GDPR does not specifically state how a DPIA should look or what it must include, but it has to show that you have been extremely thorough with your considerations.
When using personal data, such as in projects where public consultation or stakeholder engagement is required, choosing a reliable and safe tool to manage all data is crucial for your DPIA.
With a proper software system like Tractivity, you will be able to remain GDPR compliant when it comes to your stakeholder data and avoid data breaches.
Contact us to learn more about how Tractivity can support your project management and engagement needs.