A Data Protection Impact Assessment (DPIA) is a type of risk assessment that considers the data protection implications of a particular project that you are planning to undertake or software solution that you are planning to sign up to.
The DPIA will consider the following factors:
These factors will be assessed to identify the potential risks involved with the project. The DPIA will set out what measures could be implemented in order to address these risks.
The general rule is that a DPIA should be carried out whenever the type of processing involved in the project/software is likely to result in a ‘high risk’ to the individuals’ rights and freedoms.
This means that the risk of harm being caused by the project is more likely or the type of harm that could be caused (based on the personal information involved) is more severe.
When deciding if a DPIA might be necessary, you will not be required to identify exactly what type and level of harm may be caused by the project, this will be done by the DPIA itself.
Instead, you should carry out an initial screening to assess whether the full DPIA is required.
UK GDPR Article 35 sets out when a DPIA is legally required.
You may consider it good practice to complete a DPIA before you undertake any project involving the processing of personal information.
A Data Sharing Agreement (DSA), also referred to as a Data Processing Agreement (DPA), is a contract that specifically sets out terms regarding data sharing between a data controller and data processor or joint data controllers.
It will usually set out:
A DSA/DPA may form part of the terms and conditions or service level agreement for the organisation that you are sharing data with.
A DSA/DPA is not a legal requirement, but it demonstrates good data protection practice to have an agreement in place with any organisation who you regularly share personal data with.
In some cases, a DSA/DPA may be provided as standard by the organisation or it may not be necessary to have a separate DSA/DPA if all the relevant information is contained within the organisations existing terms and conditions and/or privacy notice.
A DSA/DPA does not replace the need to carry out a DPIA at the start of a project but may be identified as a required measure within a DPIA.
No. You must ensure that you have checked the compliance measures in place with any organisation before you share any personal data with them, but it is not necessary to have a formal DSA/DPA with each organisation.
It is recommended that you have specific data sharing terms in place with any organisation that you will regularly share lots of, and/or, sensitive personal data with. As mentioned, it may be that the terms for data sharing are covered within the terms and conditions and/or privacy notice without the need for a separate additional agreement.
Register now for DPOCOMS++ and DPOCOMS+ which contains a database of trusted third parties who have been reviewed for compliance, and where necessary, has the relevant DSA documentation ready for you to download.