Contact

Make Sense of a DPIA – step by step

2–3 minutes

How to Conduct a DPIA: A Practical Guide – by Els Houtman

Want to tackle a Data Protection Impact Assessment (DPIA)? Here’s a clear approach to guide you through it — one step at a time.

Step 1: Figure out if a DPIA is required

Start by asking: is this project likely to pose a substantial risk to people’s privacy?

A DPIA is typically needed if:

·       You are using new or innovative technologies

·       You are handling sensitive or large volumes of personal data

·       Your processing could significantly affect individuals’ rights (e.g. if profiling, monitoring is involved)

Step 2️: Map the data and how it flows

Get a full picture of the data lifecycle:

·       What data are you collecting?

·       Where does it come from?

·       Why is it needed?

·       Who has access?

·       How long will you keep it?

Understanding the dataflow is key to identify risks later on.

Step 3: Assess necessity and proportionality

Ask the tough questions:

·       Is all the data truly necessary to achieve your goal?/Could you manage with less?

·       Are there other ways to achieve the same purpose?

·       Does the processing effectively help you meet your goal?

The more focused and minimal the approach, the better.

Step 4: Ensure GDPR-compliance

Check the envisaged processing against all GDPR’s key principles: lawfulness/fairness/transparency, purpose limitation, data minimisation, storage limitation, accuracy, and security (integrity and confidentiality).

Step 5: Consult the people involved

Where appropriate, involve data subjects to get their input or flag any concerns. Even a simple form of consultation can go a long way in increasing transparency and spotting risks early. If you decide not to consult, make sure to record that decision and explain why.

Step 6: Identify and assess the risks for individuals

Think through possible scenarios – the “what ifs”:

Could the data be lost, misused, or accessed by unauthorized parties?

What impact would this have on the individuals involved?

Anticipating and addressing risks helps avoid more serious issues down the line.

Step 7️: Address the risks

Time to act. Depending on the risks identified consider:

·       Limiting data collection

·       Strengthening information security (encryption, access controls, etc.)

·       Anonymising or pseudonymising data where possible

·       Etc.

The goal is to mitigate and eliminate risks, or to bring them down to an acceptable level.

Step 8️: Document everything

Make sure to document all your findings, decisions, and actions. This is your evidence that you’ve considered privacy and addressed it properly.

Step 9️: Record your DPO’s advice on the DPIA

If you have a Data Protection Officer, document their advice.

Decision not to go with their advice? Justify and document your reasons.

And if considerable risks remain despite additional safeguards, consult the data protection authority before moving forward.

One last thing: make sure your DPIA is accurate and truthful – don’t fool yourself. An inaccurate DPIA can lead to blind spots in your privacy approach – and consequences can be serious.

Could do with some assistance in conducting your DPIA? Get in touch with us via hello@privatum.be – we are happy to help, step by step.

#DPIA #PrivacyProtection #GDPR #Compliance #DataPrivacy #DataSecurity #RiskManagement #Trust #PrivacyMatters #RiskMitigation