Thinking about introducing new tech or a contract where you or a third party are processing personal data? You’ll need an impact assessment!
Impact assessments are seldom used but are incredibly important (especially if you suffer a data breach) – here’s a reminder of what an impact assessment involves:
Identification – calling out the specific personal data your new tech or contract will be processing and how it’ll be used.
Security and safeguards – evidencing that you’ll ensure data isn’t processed beyond the purpose it was gathered, how it’ll be kept up to date, where (if anywhere) it’ll be transferred and how any potential risks to individuals’ privacy will be mitigated (restricting access, anonymisation, for example).
Action and follow-up – it’s one thing to identify potential data risks in your assessment, but a thorough and robust process will capture the actions needed to address or minimise those risks. Make sure you have a record of all follow-ups.
Our data protection toolkit contains a template impact assessment and guidance on creating robust data processing practices – get in touch to find out more.
