The ICO has published draft guidance on the use of Data Protection Impact Assessments (DPIA), a tool used to assess the risks of processing personal data.
The UK has had Privacy Impact Assessments (PIA) for some time as best practice but the GDPR enforces the need for DPIA in certain circumstances.
The draft guidance:
- Covers what’s expected when you carry out a DPIA as well as information about what they are and in what circumstances you would use them
- How to carry out a DPIA as well as providing a DPIA checklist
- Suggests that whilst you may be required in “high risk” processing situations to carry out a DPIA, it will be considered best practice carry out one when you carry out major projects that involve processing of personal data (i.e. wider approach than set out in the GDPR)
- Where you identify a high risk that you can’t mitigate, then you have to consult the ICO who will advise, temporarily ban you from processing the data until they’ve considered the issue or issue a formal warning
The consultation runs until 13th April.