Management wants to implement a system that monitors the keystrokes of your colleagues. The main reason is IT security; however, as a nice little side effect, it will enable your company to monitor when you are working and how efficient you are.
As a privacy professional, you need to do your magic. But how is that best organised? The ICO has a proposal: the DPIA process.
Understanding DPIA
There it is again – The DPIA. The unavoidable work you have to do to make sure that your new system is legally implemented and that you do the risk assessment that you have to do, when there is a potential high risk regarding the protection of data.
You have probably come across it many times in your job. And if not, we are here to guide you. Because what is the purpose of a DPIA exactly, and what does it entail?
Like managing a flower bed
The most important thing to understand about a DPIA is that it is not a one-time task. It is an ongoing process that runs alongside your system. The earlier you start, the easier it becomes to manage.
“Managing systems through a DPIA process is a bit like tending to a flower bed. If left unattended, new types of weeds, grasses and flowers will pop up. In organisations, it is marketing and HR coming up with new and exciting ways to utilise systems and data. Some of it will have to be weeded out, while some can stay. The sooner you get it, the easier it is to remove or change,” says Jacob Høedt Larsen, Public Relations & Public Affairs specialist at Wired Relations.
A DPIA contains information about data processing, risks mitigation, necessity and more. Check out our '7 Steps to a great DPIA' for detailed insights. Simply put, a DPIA is successful when you've considered data protection risks related to your new system before implementing it.
Stay on top of your ROPA
Article 35 of GDPR states that a DPIA is necessary when a processing is likely to result in a high risk to the rights and freedoms of natural persons.
We suggest, however, that you always go through the DPIA steps when you implement a new system or a new process – also when you are not obliged to do so. Why? Because the steps ensure that you stay on top of your ROPA (Register of Processing Activities) and risk work.
Starting early and viewing it as a dynamic document is key as well as ensuring your DPIA is always updated and maintained to reflect changes in the use of the system.
The worthwhile process
The DPIA process can be comprehensive, as both the business, IT, the DPO, and the data subjects usually have to be involved. But it is worth the while.
“It is so much easier to make changes before HR actually implements the new system. Compliance should not be the nay-sayers of the organisation. Our job is to advise and help so that we reach business objectives in a legal manner. Therefore, we need to get in early and understand what the system is doing and what the business wants from it,” says Jacob Høedt Larsen.
Failure to conduct a DPIA can have consequences. In Denmark, 53 municipalities are in an ongoing case for illegally sharing school children's data with Google via Chromebooks.
Something that could have been avoided with a DPIA.
This case is just one example, and the severity of consequences can vary. However, being on the safe side brings you one step closer to securing a safe data environment for your data subjects and sustainable compliance in your organisation.
Are you ready to get started?
Get help managing your DPIA – Book a meeting with us to hear more.
Mastering the DPIA process - register for a free Masterclass
The DPIA process is crucial whenever your organisation considers a new system or a new process. We’ve created an online Masterclass in mastering it. You’ll learn how to set up your organisation for the process, how to collaborate with your organisation and how to do the individual steps effectively. The Masterclass is divided into two online courses, each consisting of one-hour sessions.
Sign up for the online Masterclass here:
Masterclass I - Tuesday April 9: Diving into the steps to take
Masterclass II - Thursday April 25: Seuring buy-in and collaboration
