Data Protection Impact Assessment
The GDPR states that Data Protection Impact Assessments are mandatory in certain circumstances and are advisable in other circumstance. BDO considers DPIA’s to be best practice regardless of circumstances.
An organisation’s approach to data protection, its documented procedures, training policies and risk register are all significant factors in determining the appropriate level of fine that will be levied by the Supervisory Authority (SA) in the event of a breach. Therefore, it is essential that organisations take the opportunity, to review their GDPR status and identify their shortcomings with regard to meeting the GDPR's requirements. A DPIA is the first step in doing this.
DPIAs start by providing clients with a clear, unambiguous picture of:
- their current processes - in many cases there is more than one version of the same process being followed
- the systems used to process and store data, including data backups, physical records and archives
- the personal data being collected, processed and stored and how that data maps to processes and systems
Next, this holistic view is used to perform a risk analysis to identify and rate any risks and issues. The final stage of the DPIA is to determine the appropriate solutions in order to address issues and mitigate risks, define the steps to implement those solutions and then deliver an action plan based on business impact/need, cost and resource availability.