How will the GDPR's DPIA requirement affect you?

You may be all too familiar with your organization’s change-management process, the regular steps of review being used, and maybe even the exact wording of its requirements — some of which may have remained unchanged for years. Up until now, the focus of change management has been centered on the interests of the organization, naturally. But now, thanks to the General Data Protection Regulation, companies will not only have to account for privacy and security measures for themselves, but also for the individuals whose personal data exists on its information systems.

Data protection matters

If it’s determined that the GDPR applies to an organization, then it’s likely that the data protection impact assessment (DPIA) requirement has been mentioned as well. Here's what Article 35 regarding DPIAs states:

"Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks."

The takeaway? Any time new processing operations are being implemented, it’s a must to conduct a full assessment of how it will impact personal data protection. Within the new requirement, this stipulation is crystal clear: Organizations will need to find a way to build the DPIA into their processes consistently and continually. The question is, how can your organization adopt the DPIA requirement without causing a major disruption to service delivery? 

What triggers a DPIA? 

One of the biggest challenges for most organizations will be the integration of data privacy and protection into their longstanding product delivery model. A good starting point for most is to revisit your organization’s policies and procedures, and assess where a DPIA can fit in the change and risk management documentation.  

Here are some of the circumstances that may prompt a DPIA, according to the GDPR, specifically:

Read More: iapp.org

About the Author

Kevin Kish is a Privacy Technical Lead with Schellman & Company, LLC. With nearly 8 years industry experience, he has a strong history of implementing, maintaining, and assessing global information security and privacy requirements, including ISO 27001, HITRUST, Privacy Shield and the General Data Protection Regulation. As an industry advocate, he is passionate about researching and writing on the fundamentals and concepts of sustainable data privacy; and, providing education to clients on the risks, challenges, and best practices around data privacy legislation. He holds several privacy designations from the international association of privacy professionals, including CIPP/US, CIPP/E, and CIPM.

More Content by Kevin Kish