DPIA is not just another privacy risk assessment

If not properly guided, companies tend to consider a DPIA just as another name given to their usual process risk assessment. There is a fundamental difference between a DPIA and what companies always carried out assessing what risk they face with a given business process.

UK's programme to trace covid-19 infections has allegedly broken data protection laws. The oversight was first brought to light by the digital privacy campaigners Open Rights Group. The reason was indeed the lack of DPIA as the GDPR intends and mandates for every project which involves special category data subjects' personal information.

The DPIA is not mandatory, though, in all cases, and companies must have a duly formed and experienced DPO in order to point at which process are mandated to first conduct an impact assessment on individuals' privacy even before the green light to start.

Of course, labeling your business privacy impact assessment as DPIA will not pass muster with the Data Protection Authorities. The Department for Health and Social Care has now admitted its flagship test and trace application was launched in May without any such assessment.