06) Does your organisation conduct Data Privacy Impact Assessments as part of its risk assessment processes? 
GDPR DPIA Data Privacy Impact Assessment
Written by Haydn Brooks
Created on March 18, 2019
Modified on September 3, 2020

Answer yes if your organisation conducts Data Privacy Impact Assessments for every data flow that involves Personal Data as defined by GDPR.

A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project. It is a type of assessment done against a specific processing activity to ensure any privacy risk has been recorded and controls have been put in place where necessary.

You must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. You can use the ICO’s screening checklists to help you decide when to do a DPIA.

It is also good practice to do a DPIA for any other major project which requires the processing of personal data.

How to implement the control:
A useful guide on Data Privacy Impact Assessments was published by the ICO and can be found here.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.