We heard recently from French Data Protection Authority CNIL on the topic of Data Protection Impact Assessments (DPIAs). Now, Ireland’s Data Protection Commission has issued its own Guidance Note on DPIAs under The General Data Protection Regulation.
It describes the process in detail and provides lists of risks and mitigation methods. Key takeaways:
- If you believe that a processing operation requiring a DPIA is not likely to be high risk, you should thoroughly document the reasons for not carrying out a DPIA.
- It is good practice to carry out a DPIA as early as practical in the design of the processing operation. For some projects it may need to be a continuous process.
- Seek the views of data subjects, e.g. through a survey. If your final decision differs from that of data subjects, document this. If you think you don’t need to consult with data subjects, document that too.
- You may wish to maintain a data protection risk register to describe the risks associated with a project and assess their likelihood and impact. Update this regularly. For small projects this may be more informal.
- It is good practice to produce a final DPIA report including record keeping from each stage of the DPIA process and the conclusions.
- You may want to publish your DPIA.