The Office for Personal Data Protection advises data controllers on personal data protection impact assessment
The General Data Protection Regulation (GDPR) has introduced a new obligation for data controllers: to carry out a data protection impact assessment (DPIA). The obligation concerns the processing of data that involves a high risk of impacting the rights and freedoms of the individuals (natural persons) whose personal data are being processed. According to the office, controllers are struggling to cope with this obligation, which is why the office has now published a methodology for DPIA.
The methodology responds to the shortcomings of the current impact assessment practices and aims to ensure compliance with GDPR requirements while also reducing the burden on personal data controllers. Data controllers often do not know what the assessment should look like: for example, they resort only to verbal evaluations, without providing specific information describing specific threats and measures taken.
Importantly, a high-quality and detailed DPIA is a necessary tool to identify threats to personal data protection and impacts on the privacy of data subjects, and to ensure that necessary technical and organisational measures are taken.
The DPIA should be reviewed repeatedly: data controllers should carry out a new assessment in particular when the parameters of data processing have changed, new threats have been identified, or new technologies employed.
The methodology is only a recommendation, which means that different methodologies may be used as long as all GDPR requirements are met. The methodology is intended primarily for the controllers, but can also be used by personal data processors.