Anyone who's been following AppSaloon for the past two years knows that we take GDPR, and all of its implications, seriously. In this blogpost we will shortly discuss the process of DPIA, or Data Protection Impact Assessment. GDPR regulations state that every organisation that processes personal data in a way which likely entails a high risk for the rights and freedoms of the subjects whose data are being processed, needs to deploy a DPIA. A DPIA is an instrument for mapping the privacy risks of a data processing system before development and, subsequently, for taking measures to reduce these risks.
GDPR doesn't require that the controller performs a DPIA for each processing of personal data. As a rule, a DPIA is only mandatory when the data processing, given its nature, size, context and purpose is likely to pose a high risk to the rights and freedoms of a natural person. You can't start processing data before a DPIA (if necessary) is performed.
The Data Protection Authority has drawn up a list of types of processing for which a DPIA is mandatory before you start processing personal data. The list is not exhaustive. It is possible that your processing is not on this list. In that case, you must determine whether your processing results are a high privacy risk for those involved.
GDPR indicates that at least a DPIA must be performed if an organisation:
- evaluates or makes score assignments, including profiling and prediction;
- on a large scale and systematically follows people in a publicly accessible area (e.g. with camera surveillance);
- processes special personal data or processes criminal data on a large scale.
More info - GBA, Belgium (in Dutch)
There are different methods for performing a DPIA. You can find a lot of templates online. They need to meet the basic requirements as described in the GDPR. Such as a systematic description of the data processing you will be doing, an assessment of the privacy risks and the measures to reduce these risks. All this needs to be documented and stored for as long as the personal data is being processed.
If your DPIA shows that the processing of personal data produces a high risk and you are unable to find sufficient measures to limit this risk, then you must consult the Belgium Data Protection Authority before you start processing the data. This is called a prior consultation.
Performing a DPIA is not a one-time assignment, but a continuous process. Every-time you change the purpose or use a new technology to process the personal data you need to do a new Data Processing Impact Assessment.