DPIA AND LIA

A Data Protection Impact Assessment (DPIA) is a process designed to help you systematically analyse, identify and minimise the data protection risks of a project or plan. It is a key part of your accountability obligations under the UK GDPR, and helps you assess any medium to high risk processing.  A DPIA should effectively mitigate any high risk processing and outline a plan of action to review and monitor any risky personal data processing.  This tool is also highly recommended when implementing any new systems or software programmes which handle personal or special category data.

DPIAs are designed to be a flexible and scalable tool that you can apply to a wide range of sectors and projects. Conducting a DPIA does not have to be complex or time-consuming in every case, but there must be a level of rigour in proportion to the privacy risks arising.

Another effective tool to demonstrate legal compliance of your personal data processing is a Legitimate Interest Assessment (LIA).  A LIA is a crucial tool when businesses are not typically relying upon consent to process their staff or customer data.  LIA's support the lawfulness of your processing, proves you have done your groundwork to determine that legitimate interest is a proper lawful basis, confirms your compliance, and allows you to align with the accountability principle.

You need to record your LIA and the outcome of any assessment which should only be carried out by an experienced privacy practitioner.