In this episode, we take up a key element in the upcoming General Data Protection Regulation (GDPR), which comes into effect on May 25, 2018, that being the issue of the Data Protection Impact Assessment (DPIA). As always, I am joined in this exploration by Jonathan Armstrong, partner at the Cordery firm London. The UK Data Protection Regulator, the Information Commissioner’s Office (ICO), recently published new draft guidance on conducting DPIAs, entitled “Consultation: GDPR DPIA guidance”(Consultative Guidance).
A DPIA is mandatory in some cases under GDPR. At its simplest, it is a way of assessing data protection risk in any process that involves personal data. A good DPIA process will enable you to identify exactly what you are planning to do with personal data, what the risks are and how you are going to address them. The Consultative Guidance, notes your DPIA “should describe the nature, scope, context and purposes of the processing; assess necessity, proportionality and compliance measures; identify and assess risks to individuals; and identify any additional measures to mitigate those risks.” There are consultation obligations as part of the DPIA process including, in some cases, the obligation to show your DPIA to a Data Protection Authority (DPA) and seek prior approval.
For more information, check out Cordery’s great GDPR resource, GDPR Navigator.
Finally, if you are in Houston on April 10, the Greater Houston Business and Ethics Roundtable is hosting Jonathan Armstrong for a ½ half day GDPR workshop, entitled “Are You Ready for GDPR?”. For information and registration, click here.