Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) is a tool for building and demonstrating compliance with the GDPR. A DPIA applies a systematic process for assessing the impacts of the processing of personal data and the effect that processing has on the fundamental right to privacy of the data subject (e.g. patient). The DPIA process is not a one-time exercise and should be continuously reviewed and regularly re-assessed.

In some cases, a DPIA is voluntary. However, in many areas of the HBP, a DPIA will be mandatory. Specifically, in areas where the processing of personal data has the potential to “result in a high risk to the rights and freedoms of natural persons.” In particular, HBP platforms, and more generally the scope and subject matter of research in many of the SPs contains special categories of sensitive personal data (e.g. medical data).

The HBP is starting its DPIA work in SP8 with the Medical Informatics Platform (MIP). The SP8 DPIA will apply the methodology created by the Commission Nationale de l'Informatique et des Libertés (CNIL, the French Data Protection Authority). The CNIL methodology is supported with open source software tools for conducting a Privacy Impact Assessment (PIA), which are useful in conducting a DPIA. Furthermore, the CNIL guidance incorporates the requirements of the GDPR and the Working Party 29 opinion on DPIAs. The CNIL methodology can be combined with other DPIA methods including those developed by the ISO (International Organization for Standardization).

The sources below will be of interest to SPs interested in starting a DPIA:

 

This page was last updated on 08/05/2018.