How Do I Carry Out a Data Protection Impact Assessment Under the GDPR?

< Back to Data and Privacy
February 20, 2020

The European Union (EU)’s General Data Protection Regulation (GDPR) came into effect in May 2018, affecting many Australian businesses. If your business needs to comply with the GDPR, you may also need to conduct a Data Protection Impact Assessment (DPIA) at some stage. You must conduct a DPIA before undertaking a particularly risky project that collects or uses data. This article will explain:

  • which types of businesses may need to conduct a DPIA;
  • when you may need to conduct a DPIA; and
  • what “high risk” processing of data is.

Controllers and Processors

‘Processing’ data refers to all the possible ways a business might gather, use and distribute data. Controllers (i.e. businesses that decide what information to process, and how they will process it) may need to carry out DPIAs. Processors (i.e. businesses that process information at the request of a controller) will need to assist the controller in carrying out a DPIA if the controller asks them to. Controllers should specify their processors’ obligations, including the obligation to assist with a DPIA, in their data processing agreement

Therefore, you should understand the importance of DPIAs and how to carry one out if you are a controller under the GDPR or a processor who processes data on behalf of a controller.

When Do You Need to Carry Out a DPIA?

If your business is a controller under the GDPR, you may need to carry out a DPIA prior to undertaking a new processing project that is considered to be ‘high risk’. If you are undertaking multiple projects in which you will process data in a similar way, you may only need to conduct a single assessment. 

The purpose of the assessment is to determine if this type of processing falls within the bounds of the GDPR. The table below sets out different types of high-risk processing. 

Type of high-risk processing of data Examples of this processing 
Implementing a new technology 
  • Finger print technology
  • Facial recognition software 
  • Internet of Things applications
Large scale monitoring activities
  • Monitoring of public activities (e.g. a local council setting up a CCTV system or a railway provider setting up surveillance at multiple stations) 
  • Tracking individuals’ location and behaviour  
Systematic and large scale processing
  • Profiling (i.e. automated processing of a large number of individuals’ characteristics)
  • Automated decision making that could result in discrimination or exclusion of a particular group
  • Monitoring of individuals’ (e.g. employees’) internet usage 
Processing large amounts of special categories of data
  • Biometric or health information
  • Criminal details or history
  • Genetic data
  • Political opinions 
Processing the data of vulnerable individuals
  • Children 
  • Employees
  • Mentally ill individuals

Many of these types of high-risk processing require large-scale data processing. The meaning of ‘large scale’ does not yet have a formal definition. However, controllers should consider factors such as the:

  • number of individuals involved;
  • volume of data; and 
  • duration of the processing. 

Importantly, you do not have to carry out a DPIA for every processing activity, or for your day-to-day operations (particularly if you have already ensured that these activities comply with the GDPR). 

What Does an Assessment Look Like?

There is no prescribed form for a DPIA. However, templates are available online. Essentially, the DPIA is a written description of the processing you plan to undertake, including:

  • its nature and scope; 
  • an assessment of the reasons for processing the data in the way you intend to; and
  • an assessment of the potential risks to individuals. 

When completing a DPIA, controllers may also need to ask certain individuals for their views on the proposed processing. 

For example, if you are an employer and you plan to conduct high-risk processing in relation to your employees, you should ask them for their views on the project. Controllers should consider the probability of risk and the potential severity of the impact on individuals. 

Finally, your assessment should describe how you will mitigate these risks and ensure compliance with the GDPR.

Key Takeaways 

If your business is a controller under the GDPR, you may need to carry out a DPIA before undertaking a ‘high risk’ processing project. Carrying out a DPIA demonstrates that you intend to comply with the GDPR. For many businesses, complying with the GDPR can seem complicated. However, the right professionals can help you to understand and meet your obligations. If you need help with carrying out a DPIA, contact LegalVision’s online lawyers on 1300 544 755 or fill out the form on this page.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.

The majority of our clients are LVConnect members. By becoming a member, you can stay ahead of legal issues while staying on top of costs. For just $199 per month, membership unlocks unlimited lawyer consultations, faster turnaround times, free legal templates and members-only discounts.

Learn more about LVConnect

Get a Free Quote Now

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.
Read other articles by Jessica
Tags
Our Awards
  • 2019 Top 25 Startups - LinkedIn 2019 Top 25 Startups - LinkedIn
  • 2019 NewLaw Firm of the Year - Australian Law Awards 2019 NewLaw Firm of the Year - Australian Law Awards
  • 2020 Fastest Growing Law Firm - Financial Times APAC 500 2020 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review 2020 AFR Fast 100 List - Australian Financial Review
  • 2020 Law Firm of the Year Finalist - Australasian Law Awards 2020 Law Firm of the Year Finalist - Australasian Law Awards
  • Most Innovative Law Firm - 2019 Australasian Lawyer 2019 Most Innovative Firm - Australasian Lawyer
Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at info@legalvision.com.au

View Privacy Policy