You are not currently logged in
Log In | Register

Do you need to do a Data Protection Impact Assessment?

Tagged with GDPR HELP, GDPR ADVICE, GDPR, DPIA
by Adam Brogden
in Blog

31-Jan-2019 14:43

A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project. You would normally expect to complete a DPIA for new developments, significant changes, or the installation of a new bought-in system. DPIAs are not necessarily required for legacy systems although you might consider conducting a DPIA just to make sure you are GDPR safe.

You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. You can use our screening checklists to help you decide when to do a DPIA.It is also good practice to do a DPIA for any other major project which requires the processing of personal data.

Your DPIA must:

  • Describe the nature, scope, context and purposes of the processing

  • Assess necessity, proportionality and compliance measures

  • Identify and assess risks to individuals

  • Identify any additional measures to mitigate those risks

To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.

You should consult your data protection officer (if you have one) and, where appropriate, individuals and relevant experts. Any processors may also need to assist you.

If you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.

You should consider whether to do a DPIA if you plan to carry out any other:

  • Evaluation or scoring

  • Automated decision-making with significant effects

  • Systematic monitoring

  • Processing of sensitive data or data of a highly personal nature

  • Processing on a large scale

  • Processing of data concerning vulnerable data subjects

  • Innovative technological or organisational solutions

  • Processing that involves preventing data subjects from exercising a right or using a service or contract

You should always carry out a DPIA if you plan to:

  • Use systematic and extensive profiling or automated decision-making to make significant decisions about people

  • Process special-category data or criminal-offence data on a large scale

  • systematically monitor a publicly accessible place on a large scale
  • Use innovative technology in combination with any of the criteria in the European guidelines

  • Use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit

  • Carry out profiling on a large scale

  • Process biometric or genetic data in combination with any of the criteria in the European guidelines

  • Combine, compare or match data from multiple sources

  • Process personal data without providing a privacy notice directly to the individual in combination with any of the criteria in the European guidelines

  • Process personal data in a way that involves tracking individuals’ online or offline location or behaviour, in combination with any of the criteria in the European guidelines

  • Process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them

  • Process personal data that could result in a risk of physical harm in the event of a security breach

You should carry out a new DPIA if there is a change to the nature, scope, context or purposes of our processing and if you decide not to carry out a DPIA, you should document your reasons why.

This is a tricky area – take a look at our other blogs for information on how to complete a DPIA or call us for help.

Good luck all.

Textgoto is a UK based text marketing SMS aggregator offering the lowest cost SMS, with the highest quality and best text delivery rates. We design, develop and support our own unique advanced SMS platform, offering the most sophisticated SMS campaign management and text message data handling functionality available.

Our bulk text marketing platform offers full SMS API integration, unlimited SMS throughput, and response management functions.

Based in the North West UK we are easy to contact and always willing to help. Our team is made up of seasoned text developers, experienced SMS campaign managers, and cool operations managers. Together we have all the skills and experience you need to run your amazing SMS campaigns. Call us today on 01772 217800 or just click the button below to register a free account today

Try us for free now