The GDPR requires that eligible organisations carry out a DPIA in relation to its policies and procedures. A DPIA is a risk assessment of the proposed processing of personal information by an organisation. The DPIA should help a business identify the most effective way to comply with its data protection obligations, identify and mitigate risks to data and meet individuals’ expectations of privacy.
Recent guidelines advise businesses to conduct DPIAs if their proposed activity is likely to result in a “high risk” to individuals.
It gives nine criteria to be considered:
- Evaluation or scoring, including profiling; e.g. credit check, website usage data
- Automated decision-making; e.g. exclusion or discrimination
- Systematic monitoring of individuals e.g. employer’s CCTV to monitor employees
- Processing sensitive data or data of a highly personal nature e.g. medical/health records, political beliefs or trade union activities
- Processing data on a large scale
- Matching or combining datasets;
- Processing data concerning vulnerable individuals; e.g. mentally ill persons
- Innovative use or application of technological or organisational solutions e.g. finger print and face recognition combined for physical access control