My earlier blog post sparked an amusing thought which generated some fun discussions on LinkedIn, and reminded me that there's a lot of confusion between 'data protection by design and by default' (Article 25) and the 'Data Protection Impact Assessment' (Article 35). Because I scribble therefore I think; I ended up with this flowchart.....
.....and some notes for my next Mythbusting post!
(You're welcome to re-use this content as long as a) I get credit and b) you're not getting anyone to pay you for it)
Accessible text:
Do I do a DPIA?
1: Processing already under way?
Y: go to 2
N: go to A
2: Willing to stop if it turns out to be unsafe/unlawful?
Y: (technically it's a gap analysis, but) do the DPIA
N: go to 3
3: Willing to spend time/£/effort on fixing data protection issues highlighted by DPIA?
Y: do the DPIA
N: don't waste your time and effort. Stock up on incident response provisions instead, you're gonna need them
A: ‘High-risk’ processing?
Y: do the DPIA
N: go to B
B: Did you have to wriggle to arrive at this answer?
Y: do the DPIA
N: go to C
C: Did you answer based on the data itself?
Y: go back and take into account context, data subject rights, technologies, environment and outcomes
N: You don’t need a DPIA - BUT - you do need ‘data protection by design and by default’!