When and how to write a GDPR DPIA

Data Protection Impact Assessments are a way for companies to minimize risk around new processes and keep a record demonstrating their efforts to comply with the GDPR.

The EU’s General Data Protection Regulation (GDPR) legislation isn’t meant to be a mere compliance checklist. Unlike some other data-related regulations, there isn’t a simple list of processes and technologies you can install to be compliant. And just because you were compliant on May 25, 2018, doesn’t mean you are still compliant now.

A primary way to both show and audit your own ongoing compliance efforts is through Data Protection Impact Assessments (DPIAs), which help you assess new processes involving personal data to show you have considered and mitigated potential risks that would lead to non-compliance with GDPR. However, these audits can be time-consuming. Companies should know when they need to conduct a DPIA and when they don’t, without the fear of non-compliance and the threat of fines.

What are Data Protection Impact Assessments?

DPIAs are a process to help organisations identify and minimize data protection risks of a project. The idea is to prevent potential data protection issues before they arise and reduce the risk of compliance. Organizations identify potential risks around the processing of personal data and then outline how they plan to mitigate those risks and reduce the potential negative impacts on EU citizen data.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!