How to implement the control:
A useful guide on Data Privacy Impact Assessments was published by the ICO and can be found here.
Answer yes if your organisation conducts Data Privacy Impact Assessments for every data flow that involves Personal Data as defined by GDPR.
A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project. It is a type of assessment done against a specific processing activity to ensure any privacy risk has been recorded and controls have been put in place where necessary.
You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. You can use the ICO’s screening checklists to help you decide when to do a DPIA.
It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
If you would like to contribute to this article or provide feedback, please email firstname.lastname@example.org. Contributors will be recognised on our contributors page.