Data Protection Impact Assessments (DPIAs)

Data Protection Impact Assessments (DPIAs) are an important compliance tool when you are embarking on new processing or making changes to existing processes. In some cases it will be a legal requirement.

What is a DPIA?

A DPIA is an exercise you go through to assess how proposed processing is going to impact the personal data involved.

When do you need to do one?

The Law requires that a DPIA is carried out where there is a particularly high-risk to the individuals whose data is involved. However, organisations should always assess the impact of new/revised processing practices where that involves personal data. If you are unsure whether you need to do a DPIA: ask yourself these screening questions:

  1. Will the project involve the collection of new information about individuals?
  2. Will the project compel individuals to provide information about themselves?
  3. Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information?
  4. Are you, or will you be, using information about individuals for a purpose for which it is not currently used, or in a way it is not currently used?
  5. Does the project involve you using new technology that might be perceived as being privacy intrusive? For example, the use of biometrics, facial recognition or profiling.
  6. Will the project result in you making decisions or taking action against individuals in ways that can have a significant impact on them?
  7. Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records other special category data or other information that people would consider to be private.
  8. Will the project require you to contact individuals in ways that they may find intrusive

Why is a DPIA important?

New processes and new technology can impact individuals in ways that are not always obvious. The DPIA is an invaluable tool which ensures that risks are understood, and appropriate measures are taken to respond to those risks.

Design and Default

The Law requires organisations to build data protection into their processes 'by design and default'. DPIAs are an effective tool to support this legal duty.

What does a DPIA look like?

Every organisation will have different requirements and processes but here's a template you can modify for your own needs.

Please note: The information required within a DPIA under the Law Enforcement Ordinance differs to that required by the Law. When processing personal data for a Law Enforcement purpose under the Law Enforcement Ordinance please consult sections 36 and 37 of the Ordinance.