FREE GDPR Compliance Review
High-level review of your GDPR compliance position.
Data Protection Impact Assessments (DPIAs)
Data protection impact assessments, ‘DPIAs’ (or ‘PIAs’ - Privacy Impact Assessments as they used to be known) have been around a long time representing best practice under the previous law, and are now mandatory under the UK GDPR for certain types of high-risk processing. The ICO also has a list of processes for which, although not mandatory, controllers are encouraged to conduct a ‘best practice’ DPIA. As many UK organisations do not produce adequate records of processing activities or ‘ROPAs’, they are not identifying the processes which require DPIAs to be carried out, or the processes for which a DPIA could be beneficial, even if not technically necessary. Missing out mandatory DPIAs is not only breaking the law (Article 35 of the UK GDPR), it also increases the chances of data loss or other breaches of the data subjects’ rights and freedoms, not to mention the reputational damage, financial claims and increased cyber insurance premiums that come with those infringements.
A DPIA is a data-risk focused quantification and mitigation process to help you identify and minimise risks associated with processing personal data. For many years, conducting DPIAs has long been considered a best practice activity, but has taken on greater significance with the UK GDPR where they are mandatory for any processing that is likely to result in a high risk to individuals.
Once the data risk has been isolated (e.g., processing without appropriate security measures in place, or transferring data to a country which does not have adequate data protection laws), the DPIA then allows the organisation to quantify that risk by multiplying its likelihood of occurrence (or probability) with the seriousness of the harm (or impact) which would be caused to the data subjects/individuals if the risk materialised. This combined probability and impact ‘risk score’ can then be either mitigated (reduced) or eliminated entirely through the The DPIA will then record that lower risk quantification figure once the risk reduction/exclusion measure has been applied, so the reader (which can include users of the process within the organisation itself; the regulator; and also, increasingly, customers and potential customers of the business) can see in practical terms the benefits (i.e., the lower, or even sometimes zero, risk scores) delivered by performing the exercise.
Conducting DPIAs will also reduce the probability of data loss or breaching data subject rights and freedoms. An effective DPIA can also bring broader compliance, financial and reputational advantages, helping you demonstrate accountability and building trust and engagement with individuals and should become standard practice in every organisation. URM’s DP consultants are able to advise you on where you should be conducting DPIAs but, more importantly, how to conduct them and what the outputs should be, e.g., identifying and assessing risks to individuals taking into account both likelihood and severity of any risk, as well as identifying any additional measures to mitigate those risks. URM’s team can also provide a review service to ensure you take the right actions.
Get in touch
Please note, we can only process business email addresses.
Why URM?
Track record
URM’s DP and GDPR consultants have extensive ‘real world’ experience as both practitioners and subject matter experts working at a senior level within business and in their data protection consulting roles advising organisations on best practice. With a 19-year track record assisting organisations to comply with legislation such as the Data Protection Act, the GDPR, the Privacy and Electronic Communications (‘PEC’) Regulations and local country-specific legislation, URM has earned a reputation for adopting a pragmatic and business appropriate approach.
Flexible service offerings
A key differentiator between URM and other data protection service providers is our flexible service offerings. Our virtual DPO service can be customised to your precise requirements, in terms of the type of support you require and the frequency of support days (remote or on site) etc. Equally, with our remediation support, URM can assist you to address any gaps identified and achieve full GDPR and other legal compliance. We can also help you maintain that compliance through our GDPR auditing services.
Knowledge transfer
URM prides itself on its knowledge transfer philosophy and training expertise which help to ensure that you not only understand what the principles and requirements of the data protection legislation are but also how best to meet them.
Analysis of Fines Imposed by the Information Commissioner’s Office in 2024
URM’s blog breaks down the fines issued by the ICO in 2024 for data protection breaches, highlighting emerging trends in their approach to enforcing compliance.
URM’s blog offers key advice and guidance on how to ensure your data processing practices facilitate not only regulatory compliance, but also customer trust.
URM’s blog provides a comprehensive breakdown of STAIRs, an upcoming information access standard for private sector social housing providers.
URM’s blog discusses the GDPR and PECR requirements on cookies, common noncompliant practices & how you can ensure your approach to cookies is compliant.