Ensuring our Society data is protected - DPIA process
This article will take approximately 2 minutes to read
Published 16 Feb 2022 in Colleagues
Helping to protect our data, the Society’s Data Protection team are launching a new process for Data Protection Impact Assessments (DPIAs). Protecting data is everyone's responsibility, so please ensure you and your fellow colleagues are familiar.
Who keeps our data protected?
The Society has a dedicated Data Protection Steering group (‘DPSG’) made up of two or three Data Protection Champions (DPCs) from each business area. These DPCs act as the ‘eyes and ears’ within their business area on behalf of the Society’s Data Protection Officer.
Whilst DPCs are the co-ordinator for data protection compliance matters within their relevant business area, it’s important that all colleagues have an awareness and knowledge of the new process for DPIAs as you may be involved in projects which involve the processing of personal data.
So...what is a A Data Protection Impact Assessment (DPIA)?
A Data Protection Impact Assessment (DPIA) is a process of documenting risks and appropriate mitigation being taken, in respect of a project which involves the processing of personal data.
The DPIA is carried out at the outset of a project so that any mitigation is part of the planning stage.
The purpose of the DPIA isn’t to eradicate all risk but helps the Society determine whether or not the level of risk is acceptable in the circumstances.
Conducting a DPIA does not have to be complex or time-consuming in every case. The Society has created its own DPIA template form to make the process as straightforward and easy as possible.
Why are DPIAs important?
DPIAs are an important tool for identifying data privacy risks and ensuring they are adequately addressed. This is a key part of the Society’s accountability obligations under UK GDPR.
DPIAs help ensures that colleagues involved in designing projects think about privacy at the early stages and adopt a ‘data protection by design’ approach.
How are DPIAs used?
DPIAs can cover a single project which involves the processing of data, or a group of similar data processing operations.
Whilst they are usually associated with new projects, it’s important to remember that DPIAs are also relevant if you are planning to make changes to an existing system or project.
In other words, a DPIA is not simply a rubber stamp or a technicality as part of a sign-off process. It’s vital to integrate the outcomes of your DPIA back into your project plan.
DPIAs should not be viewed as a one-off exercise to file away. It’s a ‘living’ process to help you manage and review the risks of the processing and measures you’ve put in place on an ongoing basis. They should be kept under review and reassessed if anything changes.
The Society’s Data Protection team are launching a new DPIA process. Details of the steps which need to be followed can be found on this easy-to-follow flow diagram here.
Below is a brief summary of the steps involved:
Identify the need for a DPIA. Please read the 'Do I need to carry out a DPIA' guidance here
If the need for a DPIA is identified, complete the DPIA template here
Send to the Data Protection team at email@example.com for review
Data Protection team to review and provide comments if necessary
Chief Operating Officer/Executive Team member to have final sign off
Final copy sent to Data Protection team and added to the Society’s DPIA register
DPIA to be kept under review depending on the project dimensions
What does a good DPIA look like? (sign in to view)
Sign in to view your Data Protection Champions 🔒