The Information Commissioner’s Office has published guidance on how to carry out a DPIA (Data Protection Impact Assessment).
The guidance is intended to help organisations undertake such assessments and:
- Explains the importance of DPIAs in relation to organisations’ accountability requirements under the GDPR
- Confirms that when considering the likelihood of ‘high risk’, the focus should be on any potential harm to individuals including any intangible harms, such as ‘significant economic or social disadvantage’
- Lists high risk types of processing, including when using new technologies, processing biometric data or targeting vulnerable individuals
- Refers to the Article 29 Working Party’s guidance on nine criteria which could indicate likely high risk processing
- Includes a DPIA awareness checklist for organisations to use when deciding whether it is necessary to undertake a DPIA.