A Data Protection Impact Assessment (DPIA) is a process, required by the EU General Data Protection Regulation (GDPR), to help identify and minimize the data protection risks of a project.
The UK Information Commissioner’s Office (ICO) has published a new guidance on DPIA’s.
Per the guidance you are required you to do a DPIA if you plan to:
-
use innovative technology (in combination with any of the criteria from the European guidelines);
-
use profiling or special category data to decide on access to services
-
profile individuals on a large scale
-
process biometric or genetic data (in combination with any of the criteria from the European guidelines)
-
match data or combine datasets from different sources
-
collect personal data from a source other than the individual without providing them with a privacy notice (“invisible processing”)
-
track individuals’ location or behavior
-
profile children or target marketing or online services at them
-
process data that might endanger the individual’s physical health or safety in the event of a security breach.
Read the full guidance.
[View source.]