A Data Privacy Impact Statement (DPIA) is required where a type of processing in particular using new technologies, while considering the nature, scope, context and purpose of the data processing is likely to result in a high risk to the rights and freedoms of natural persons i.e. data subjects. When this happens, the Data Process Controller or person responsible for data protection i.e. GDPR will, before processing of the personal data, carry out an assessment of the impact that they envisage the processing operation may / will have on the protection / non-protection of this personal data. A single assessment may address a set of similar processing operations that may / will present similar high risks.
There are six key parts or stages to a DPIA namely:
- Prior Consultation
In the Description Stage, the Data Process Controller describes in detail the overall context of the process and the data processing operation that is taking place therein.
In the Analysis Stage, they provide a systematic description of the processing operation, the purposes of processing and their legitimate interest in it.
In the Consultation Stage, they seek the advices of the Data Protection Officer and seek the views of the people effected by this processing i.e. data subjects.
In the Conclusion Stage, they will carry out an assessment of the ‘Necessity & Proportionately’ of the processing operation in relation to the purpose and a ‘Risk Assessment’ in relation to the rights and freedoms of data subjects.
In the Prior Consultation Stage, they will consult with the Data Protection Commissioner prior to processing, if the DPIA indicates that the processing of the data will be high risk in the absence of measures taken by them to mitigate the risk.
In the final stage, Repetition, a review will be carried out on a regular basis to confirm that the measures implemented are still protecting the personal data of the data subjects.