NAVIGATING THE DATA PROTECTION LANDSCAPE: THE CRUCIAL ROLE OF IMPACT ASSESSMENTS

It is 2024 and privacy professionals are still being asked by their colleagues: ‘Why should I care about privacy?’

Today, companies are collecting personal data in various ways: tracking website visitors, evaluating job applicants, even scanning fingerprints for timekeeping. With this data boom comes increased privacy and security risks. One way for companies to manage these risks is by doing a data protection impact assessment (DPIA).

A DPIA is a process whereby a company reviews and summarises a data processing activity, identifies related privacy risks and then outlines steps to manage and mitigate those risks. This process and its results are then compiled in a report.

When to conduct a DPIA

Companies processing the data of residents from the European Economic Area (EEA) have been conducting DPIAs in compliance with the European Union’s (EU’s) General Data Protection Regulation (GDPR), or corresponding privacy law in Switzerland, since 2018. In fact, more sophisticated companies have been doing DPIAs well before then as a general good practice. Now, companies processing the data of US residents are facing similar requirements under 11 out of the 13 state privacy laws.

DPIAs are mandatory when data processing results in a high or significant risk to individuals. Assessing the level of risk involves considering both the likelihood and severity of potential impacts on individuals whose data the company is processing.

Previously, one could argue that most data processing activities did not meet such a high standard of risk to individuals. If anything, most companies would not want to do even do a DPIA for fear of implying that a processing activity would then presumptively be considered high risk.

Jan-Mar 2024 Issue

Ampersand

Join our free mailing list to read the full article