Understanding Data Protection Impact Assessments (DPIA) at DPPC2018

Exploring topics related to Data Protection Impact Assessments (DPIA) at the Data Protection Practitioners Conference 2018 (#DPPC2018). Learn about the importance of DPIAs, guidelines for GDPR compliance, consultation processes, and steps for conducting a DPIA. Discover how to identify risks, assess necessity, and implement measures to mitigate risk in data processing operations. Stay informed about DPIA requirements and compliance procedures in the context of data protection regulations.

• Data Protection
• DPIA
• GDPR Compliance
• Risk Assessment
• Data Processing

adira Follow

Uploaded on Aug 09, 2024 | 3 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Data Protection Impact Assessments Drop-in advice session Charter 4 Data Protection Practitioners Conference 2018 #DPPC2018

2. Tell us what you think Go to slido.com/#DPPC2018/DPIA Data Protection Practitioners Conference 2018 #DPPC2018

3. Data Protection Impact Assessments What are they & when are they required? Data Protection Practitioners Conference 2018 #DPPC2018

4. Guide to the GDPR DPIA Awareness checklist DPIA Screening checklist DPIA Process checklist Data Protection Practitioners Conference 2018 #DPPC2018

5. DPIA consultation- closes Friday Tell us your thoughts @ ico.org.uk Data Protection Practitioners Conference 2018 #DPPC2018

6. A process for building and demonstrating compliance Can be used for; a single processing operation, a group of similar operations and evaluating the impact of a technology product. Data Protection Practitioners Conference 2018 #DPPC2018

7. Assess the impact of envisaged processing Describe processing Necessity/proportionality Assess level of risk Identify measures to address risk Data Protection Practitioners Conference 2018 #DPPC2018

8. 1: Identify need for a DPIA 9: Keep under review 2: Describe the processing 8: Integrate outcomes into plan 3: Consider consultation 7: Sign off and record outcomes 4: Assess necessity and proportionality 6: Identify measures to mitigate risk 5: Identify and assess risks Data Protection Practitioners Conference 2018 #DPPC2018

9. Article 35 Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Data Protection Practitioners Conference 2018 #DPPC2018

10. Article 35 Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Data Protection Practitioners Conference 2018 #DPPC2018

11. Article 35 Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Data Protection Practitioners Conference 2018 #DPPC2018

12. Clause 64(1) DP Bill Part 3 Law enforcement purposes Where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, the controller must, prior to the processing, carry out a data protection impact assessment. Data Protection Practitioners Conference 2018 #DPPC2018

13. Recital 77 The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data . Data Protection Practitioners Conference 2018 #DPPC2018

14. Article 35(4) Article 35(3) Systematic, extensive evaluation (ADM/profiling New Technologies Profiling/SPD access to services Profile individuals (large scale) Biometric data Genetic data Match/combine datasets Invisible processing Track location/behaviour Profile children/vulnerable Data which may endanger subjects in case of a breach Large scale Art 9/10 processing Large scale monitoring, publically accessible area

15. ICO proposed list 1. New technologies 6. Risk of physical harm 2. Denial of service 7. Data matching 3. Large-scale profiling 8. Invisible processing 4. Biometric data 9. Tracking 5. Genetic data 10.Targeting of children/vulnerable individuals Data Protection Practitioners Conference 2018 #DPPC2018

16. 1, New Technologies Processing involving the use of new technologies, or the novel application of existing technologies (including AI). Data Protection Practitioners Conference 2018 #DPPC2018

17. 2, Denial of service Decisions about an individual s access to a product, service, opportunity or benefit which is based to any extent on automated decision-making (including profiling) or involves the processing of special category data. Data Protection Practitioners Conference 2018 #DPPC2018

18. 3, Large-scale profiling Any profiling of individuals on a large scale. Data Protection Practitioners Conference 2018 #DPPC2018

19. What does large scale mean? You should consider: Number of individuals Volume of data Variety of data Duration of the processing Geographical extent Data Protection Practitioners Conference 2018 #DPPC2018

20. Tracking individuals using a citys public transport system Data Protection Practitioners Conference 2018 #DPPC2018

21. A hospital processing patient data (not an individual clinician) Data Protection Practitioners Conference 2018 #DPPC2018

22. Want to ask us a question? Go to slido.com/#DPPC2018/DPIA Data Protection Practitioners Conference 2018 #DPPC2018

23. 4, Biometrics Any processing of biometric data. Data Protection Practitioners Conference 2018 #DPPC2018

24. 5, Genetic data Any processing of genetic data other than that processed by an individual GP or health professional, for the provision of health care direct to the data subject. Data Protection Practitioners Conference 2018 #DPPC2018

25. 6, Data matching Combining, comparing or matching personal data obtained from multiple sources. Data Protection Practitioners Conference 2018 #DPPC2018

26. 7, Invisible processing Processing of personal data that has not been obtained direct from the data subject in circumstances where the controller considers that compliance with Article 14 would prove impossible or involve disproportionate effort. Data Protection Practitioners Conference 2018 #DPPC2018

27. 8, Tracking Processing which involves tracking an individual s geolocation or behaviour, including but not limited to the online environment. Data Protection Practitioners Conference 2018 #DPPC2018

28. 9, Targeting of children or other vulnerable individuals The use of the personal data of children or other vulnerable individuals for marketing purposes, profiling or other automated decision-making, or if you intend to offer online services directly to children. Data Protection Practitioners Conference 2018 #DPPC2018

29. 10, Risk of physical harm Where the processing is of such a nature that a personal data breach could jeopardise the [physical] health or safety of individuals. Data Protection Practitioners Conference 2018 #DPPC2018

30. Data Protection Practitioners Conference 2018 #DPPC2018

31. DPIA consultation- closes Friday Tell us your thoughts @ ico.org.uk Data Protection Practitioners Conference 2018 #DPPC2018

32. Guide to the GDPR DPIA Awareness checklist DPIA Screening checklist DPIA Process checklist Data Protection Practitioners Conference 2018 #DPPC2018