Data Protection Impact Assessment
A data protection impact assessment (“DPIA”) is an evaluation of a project, process, or activity (PPA) within a data controller’s operations, with a view to identifying the impact of the PPA on the personal data of data subjects. DPIAs are usually undertaken when a data controller intends to roll out a new PPA, or to modify existing ones, that may involve the processing of personal data.
A myriad of organisational activities can necessitate the conduct of a DPIA. For instance, an investment company rolling out a new mobile app for its customers, a medium-scale business changing its accounting software, a law firm updating its client filing from manual-based to electronic, an oil company outsourcing its HR function, etc., would all qualify as activities requiring a DPIA to be undertaken.
The main purpose of a DPIA is to gauge the likelihood that the PPA might breach the rights of some data subjects, as well as the extent and impact of such breach should it occur. It is usually undertaken as a pre-emptive step, akin to a risk assessment.
It is not mandatory for a data controller to perform a DPIA on all existing, new or modified PPAs. Pursuant to the NDPR Draft Implementation Framework issued by NITDA, a DPIA is required where a data controller intends on embark on a project “that is likely to result in significant risks to the rights and freedoms” of data subjects. Article 35 the GDPR adopted the word high in place of significant, but the import of its provision is similar to the provision in the NDPR Framework.