Data protection Impact Assessment is a systematic process used to assess and mitigate privacy risks associated with the processing of personal data in order to determine appropriate measures to address those risks. By undertaking a Data Protection Impact Assessment (DPIA), organizations can guarantee thorough consideration and effective management of privacy risks, ultimately improving and reinforcing individuals’ rights regarding data protection.
The act of gathering, retaining, and utilizing data puts individuals at risk of unintentional disclosure, theft, or unlawful use of their information unknown to the data subject; therefore, Section 41 of the Data Protection Act recognizes the importance of data controllers and processors taking necessary steps to reduce the adverse effects on the privacy of individuals whose data is involved. In the case that a DPIA indicates that processing of the data would result in a high risk to the rights and freedoms of a data subject, the data processors are required to consult the Data commissioner before processing that data.
When is DPIA required?
Section 31 of the Data Protection Act provides that where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context, and purposes, a data controller or data processor shall, prior to the processing, carry out a data protection impact assessment. This means that risks created by the processing of data must continuously be assessed in order to identify when the processing of data is likely to result in high risk to the rights and freedoms of data subjects.
Examples of High Risks situations that could potentially require DPIA
- Processing of sensitive data on a large scale. Sensitive data, according to the Data Protection Act, means data revealing the natural person’s race, health status, ethnic, social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details, including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the data subject.
- Systematic monitoring of public areas on a large scale. This is because personal data may be gathered where members of the Public are not aware of who is collecting the data and how it will be used.
- Processing of data using new technology taking into account the nature and purpose of processing the data. The consequences of using new technology may be unrevealed; therefore, an assessment will enable a data processor or controller to understand and cater to such a risk.
Section 31 of the Data Protection Act provides what should be included in the Data Protection Impact assessment. First, a methodical portrayal of the anticipated activities involved in processing and the intentions behind it, which may include the lawful interest pursued by the individual or organization responsible for managing or processing the data. Two, evaluation of whether data processing is essential and proportionate to the purpose of collecting the data. Three, computation of the risks to the rights and freedoms of data subjects. Four, the measures envisaged to address the risks and the safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Act, taking into account the rights, and legitimate interests of data subjects and other persons concerned.
In addition, Section 41 and 42 of the Data Protection Act recommends matters that should be addressed in the DPIA, which include but are not limited to: –
• the amount of personal data collected.
• the extent of its processing.
• the period of its storage.
• its accessibility; and
• the cost of processing data and the technologies and tools used.
In conclusion, DPIA promotes compliance; therefore, it should be started as early as possible and updated as the project goes on in order to ensure rights and freedoms of the data subjects are protected.