Data Protection Impact Assessment

Data protection Impact assessment is a systematic process used to assess and mitigate privacy risks associated with the processing of personal data to determine appropriate measures to address those risks. By undertaking a Data Protection Impact Assessment (DPIA), organizations can guarantee thorough consideration and effective management of privacy risks ultimately leading to the improvement and reinforcement of individuals’ rights regarding data protection.

The act of gathering, retaining, and utilizing data puts individuals at risk of unintentional disclosure, theft, or unlawful use of their information unknown to the data subject therefore, Section 41 of the Data Protection Act recognizes the importance of data controllers and processors taking necessary steps to reduce the adverse effects on the privacy of individuals whose data is involved. In the case that a DPIA indicates that processing of the data would result in a high risk to the rights and freedoms of a data subject, the data processors are required to consult the Data commissioner before processing that data.


When is DPIA required? Section 31 of the Data Protection Act provides that, where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, by its nature, scope, context and purposes, a data controller or data processor shall, prior to the processing, carry out a data protection impact assessment. This means that risks created by the processing of data must continuously be assessed in order to identify when the processing of data is likely to result in high risk to the rights and freedoms of a data subjects.
Examples of High-risk situations that could potentially require DPIA.

a) processing of sensitive data on a large scale. Sensitive data according to the Data Protection Act means data revealing the natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse or spouses, sex or the sexual orientation of the data subject.
b) systematic monitoring of public areas on a large scale. This is because personal data may be gathered where members of the Public are not aware of who is collecting the data and how it will be used.


c) Processing of data using new technology taking into account the nature and purpose of processing the data. The consequences of using new technology may be unrevealed therefore an assessment will enable a data processor or controller to understand and cater to such a risk.

Section 31 of the Data Protection Act provides what should be included in the Data Protection Impact assessment. First, a methodical portrayal of the anticipated activities involved in processing and the intentions behind it which may include the lawful interest pursued by the individual or organization responsible for managing or processing the data. Two, evaluation of whether processing of data is essential and proportionate to relation to the purpose of collecting the data. Three, computation of the risks to the rights and freedoms of data subjects. Four, the measures envisaged to address the risks and the safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Act, taking into account the rights, and legitimate interests of data subjects and other persons concerned.

In addition, Section 41 and 42 of the data Protection Act recommends matters that should be addressed in the DPIA which include but are not limited to: –
• the amount of personal data collected.
• the extent of its processing.
• the period of its storage.
• its accessibility; and
• the cost of processing data and the technologies and tools used.
In conclusion, DPIA promotes compliance therefore, it should be started as early as possible and updated as the project goes on in order to ensure rights and freedoms of the data subjects are protected.