What the ICO says –
“You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.”
What does this mean for your organisation –
Under the UK Data Protection Act it was advised good practice that Privacy by Design be adopted within an organisation and privacy impact assessments (PIAs) were carried out when relevant. Now, under the GDPR, organisations have a legal obligation to carry out Privacy by Design and by Default. PIAs are now known as Data Protection Impact Assessments (DPIAs) and are also a legal requirement in certain circumstances.
DPIA??? Just think risk assessment for data in order to mitigate against data breaches. Carry them out whenever your organisation is considering changes to systems or processes where data processing is likely to be high risk to an individual’s personal information, and as always document the fact a DPIA was carried out and how identified risks are to be mitigated.
Changes that require a DPIA could be for example, but certainly not limited to:
- A new computer system is being implemented.
- New CCTV installations or changes to existing CCTV.
- Software changes of large scale processing operations.
- Transfer of payroll to a 3rd party
I would always recommend any changes, however small, are given a cursory check to see if a full DPIA is required as you will be surprised just how much a change can impact data processing risk. Even who carries out a DPIA and who will be involved could have an impact on risk.
If after you have carried out a DPIA, you feel you cannot mitigate a high-risk change then you need to contact the ICO for the way forward to keep your organisations changes GDPR compliant.
Once a DPIA has been carried out and the risks mitigated do you then just forget about it? Absolutely not! As with any good Project and Risk Management process, you need to keep revisiting the DPIA to ensure that actions and operations are not straying away from the risk model or an unforeseen circumstance has arisen that could impact the already identified risks.
Still not sure about DPIA and Data Protection by Design and Default? No problem, just get in touch with BMGUK Consultancy Ltd where I can assist you to understand them better.
The 12 Days of GDPR snippets are not designed as a guide to make your organisation GDPR compliant, they are just to whet your appetite to get you started. BMGUK Consultancy Ltd has one of the few certified EU GDPR Practitioners in the UK, so get in touch and I can assist your organisation to become GDPR compliant.
What is the GDPR? – It is the new evolution of data protection across the EU. On May 25th, 2018 the General Data Protection Regulation becomes enforceable so if your organisation processes personally identifiable information of any EU resident then you need to be prepared for the GDPR otherwise your organisation could face significant penalties.
From the largest multinational down to the smallest of sports clubs anywhere in the world, if your organisation offers goods or services, even free ones, to EU residents then it is highly likely that your organisation will be required to comply with the GDPR.
Whether your organisation is based in the UK or overseas, get in touch with BMGUK Consultancy Ltd for all your GDPR needs.