Data protection impact assessment
The importance of ensuring data protection in any institution can now be deciphered more patently than ever before especially in Europe ever since the onset of General Data Protection Regulation (GDPR). According to the experts, academics and practitioners, GDPR is a complete guide that safeguards data belonging to the EU citizens and residents being processed by both public and private entities.
Data Protection Impact Assessment (DPIA) is one of the key aspects of GDPR. The features of which have been manifestly enshrined in Article 35 (7), and recitals 84 and 90, and they are:
- A description of the envisaged processing operations and the purpose of the processing.
- An assessment of the necessity and proportionality of the processing.
- An evaluation of the risks to the rights and freedom of data subjects.
- The measures envisaged to:
- address the risks
- demonstrate compliance with this Regulation
The new Swiss legislation on data protection, that is expected to come into force this year or early next year, does also entail provision on DPIA. Since GDPR does not give any DPIA template, institutions hence can create their own based on the above articulated points. The UK (Information Commissioner’s Office, UK) template in this regard seems to be comprehensive. The template is as follows:
| 1. Identify need for a DPIA |
| 2. Describe the processing |
| 3. Consider consultation |
| 4. Assess necessity and proportionality |
| 5. Identify and assess risks |
| 6. Identify measures to mitigate / eliminate risk |
| 7. Sign off and record outcomes |
| 8. Integrate outcomes into plan |
| 9. Keep under review |
Each rung can be further elaborated according to the type of the institution and its purpose of undergoing DPIA assessment.
Written by:
Mohammed Rakib-ul-Hassan
Research & Legal Analyst
