DPC Guide to Data Protection Impact Assessments (DPIAs)
Ireland’s data protection authority – The Data Protection Commission (‘DPC’) – has published the guidance on Data Protection Impact Assessments (DPIAs) for organisations.
The guidance highlights that under the General Data Protection Regulation (GDPR), DPIAs are mandatory for high-risk processing projects, and the focus of a DPIA should be on the potential harm to the rights or freedoms of data subjects. It also outlines when organisations need to conduct a DPIA, whether DPIAs have to be renewed for existing processing operations, when in a project lifecycle a DPIA should be carried out, who should be involved, and what steps must be followed during a DPIA.
Further, guidance specifies the key stages of a successful DPIA:
- identifying whether a DPIA is required,
- defining the characteristics of the project to enable an assessment of the risks to take place,
- identifying data protection and related risks,
- identifying data protection solutions to reduce or eliminate the risks,
- signing off on the outcomes of the DPIA,
- integrating data protection solutions into the project.