DPIA OR DATA PROTECTION IMPACT ASSESSMENT
The purpose of a DPIA or data protection impact assessment is to identify risks where loss or theft could occur when processing personal data within an organisation.
The loss or theft of data has its causes such as when information is sent to wrong recipients, the loss of a computer, a break-in or a hacking. In a DPIA, the potential risks are calculated on a qualitative and/or quantitative method.
To conduct a DPIA, a scope is created about the type and sensitivity of personal data an organisation processes, the way and period of retention, with whom and how this data is shared and how personal data is destroyed.
The result of the DPIA tells us what actions should be taken to minimise both data loss and theft in the context of processing personal data.
Conducting a DPIA is not a one-off task, but a continuous process. We constantly review relevant national and European legislation.
WHEN ARE YOU OBLIGED TO CARRY OUT A DPIA?
When data processing may pose a high risk of breaches of human “rights and freedoms”, you, as a data controller, can decide whether or not to carry out a DPIA.
However, in some cases it is mandatory to carry out a DPIA such as when implementing new IT systems, the monitoring of rooms with cameras, the processing of personal data to third countries and when processing sensitive personal data.