Under GDPR regulation 35 where data processing involves high risk to the rights and freedoms of a persons data, the data controller must before processing this data conduct an impact assessment. The controller should seek the advice of a data protection officer.
The purpose of the assessment is to identify risks and mitigate risks.
Not complying to DPIA requirement can lead to fines or it is carried out incorrectly. Administrative fine of up to 10M€ or 2% of turnover.
A DPIA is only required in high-risk matters.
Evidently then assessing the risk is very important ie is there high risk or is there low risk.
So the data controller needs to identify the need or not for a Data Protection Impact Assessment, and if its required, assess the data processing, assess the necessity & proportionality of same, identify and asses risks, identify ways to mitigate risk, document and record all outcomes on a data protection impact assessment.
The aim of this process is the ethos of prevention over cure and it is helpful for data controllers with data processing in the high risk category to think like this, as mitigating risk from the outset is far better than cleaning up a data breach after the horse has bolted so to speak.
Its not mandatory to publish the data protection impact assessment by the data controller.
Need Legal Advice? No problem. Contact Us Today!
We can assist with legal advice on GDPR Irish data protection law matters.
