What are Data Protection Impact Assessments?

As you would already know, public sector organisations store and deal with highly personal information and data from the public.

So, why would we want to risk losing it or allowing it to get into the wrong hands? 

Although the General Data Protection Regulation (GDPR) hasn't significantly changed since 2018, it's still the biggest and most important regulation all organisations who target or collect data related to people in the EU have to follow.

So, where do data protection impact assessments come in?

Person using a laptop to write a data protection impact assessment

What are Data Protection Impact Assessments (DPIA)?

Also known as privacy impact assessment or PIA, they are essentially risk assessments detailing how organisations will process the personal data they hold. They have been designed as an early warnings process for potential threats to operations.

The Information Commissioner's Office has long championed the process as a key part of their privacy by design strategy. Furthermore, whilst DPIA’s are not a new concept, the importance of GDPR places greater significance on their use - especially since DPIA's are now a mandatory requirement in certain circumstances.

Data breaches in the public sector are a big threat - discover how you can prevent them.

When Should I Conduct a DPIA?

You must carry out a DPIA when:

  • Using new technologies
  • The processing is likely to result in a high risk to the rights and freedoms of individuals.

Processing that is likely to result in a high risk includes (but is not limited to):

  • Systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals.
  • Large scale processing of special categories of data or personal data in relation to criminal convictions or offences. This includes processing a considerable amount of personal data at regional, national or supranational level that affects a large number of individuals; and involves a high risk to rights and freedoms e.g. based on the sensitivity of the processing activity
  • Large scale systematic monitoring of public areas (CCTV)

Is your public sector organisation struggling to prevent cyber-attacks? Find out why that might be here.

What Information Should the DPIA Contain?

  • A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the controller
  • An assessment of the necessity and proportionality of the processing in relation to the purpose
  • An assessment of the risks to individuals
  • The measures in place to address risk, including security and to demonstrate that you comply
  • A DPIA can address more than one project

See the ICO’s conducting privacy impact assessments code of practice for good practice advice.

How to Build Your Data and Digital Skills as a Public Sector Professional

Whether you're a Data Protection Officer or you work in digital communications, we've got a training course just for you. View our upcoming data and digital courses and secure your spot today to avoid missing out on expert insights.