How to conduct DPIAs

A Data Protection Impact Assessment (DPIA) is a required accountability process to demonstrate compliance with the UK General Data Protection Regulation (GDPR). Organisations use DPIAs to analyse, identify, and minimise any data protection risks while considering the benefits of a proposed business process, project or plan.

Conducting a DPIA is a legal requirement for any type of processing that is likely to result in a high risk. In the event of a data breach or a violation of the GDPR, regulatory authorities such as the UK Information Commissioner's Office (ICO) will ask to see any relevant DPIAs to understand whether appropriate technical and organisational measures were put in place to protect the rights of data subjects. Failure to provide evidence that a DPIA has been conducted will significantly increase the likelihood of enforcement action; such is their importance.

DPIAs are a risk assessment tool used to identify problems during the planning stage and throughout the development process. They help to ensure project benefits are realised on time and within budget. While the data protection officer (DPO) may recommend where a DPIA is required, the responsibility for conducting them lies with the controller. In reality, this often falls to the business function in question.

This one-day course ensures that privacy champions and teams responsible for delivering projects understand their legal responsibilities when conducting DPIAs. It examines the requirements set out in the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA18), and follows the latest ICO guidance.

The course covers:

• What is a DPIA?
• The legal requirements for a DPIA
• Data Protection by Design and Default
• The benefits of conducting DPIAs for organisations and data subjects
• When to conduct a DPIA
• How to conduct DPIAs
• Who should be involved in the completion of a DPIA?
• Consultation with stakeholders
• Identifying the proposed information flow
• Identifying data protection and related risks
• What does high risk mean?
• How to identify if an activity is high risk?
• Determining whether the risk is acceptable
• Consulting with the ICO
• Should the DPIA be published?