The digital footprint of our society has experienced exponential, rapid growth in recent years. This has the potential of making business operations more effective – and it has done it in so many ways. However, the loss of data privacy seems to go hand in hand with technological advances. It all makes security and privacy increasingly important, which prompted the creation of privacy laws and the DPIA – data protection impact assessment. 

Why is this important?

Over 120 countries worldwide have already tackled international laws for data protection, aiming to make the technology safer for their citizens. Even so, 79% of people are concerned about how companies use the data they collect from them. 

In addition to consumers, employees also share these concerns. Companies need to collect and process a pool of data for each worker these days. 

To protect the privacy of citizens and employees, countries around the world implement a series of regulations and laws that companies must follow to avoid penalties and keep their reputations intact.

Understanding the GDPR: What is DPIA

It all started with the European Union’s GDPR (General Data Protection Regulation). This law being passed changed how companies collect, store and handle sensitive employee data and consumer data. Soon after, the GDPR introduced an important element to enforce the laws – the DPIAs. 

The GDPR was the first legislation of its kind to protect consumer rights over their personal data. Today, one of the requirements of privacy laws such as the GDPR is that businesses must deploy DPIAs to protect their consumers and employees.

Simply put, the legislation requires companies to perform a DPIA before they process data or work on projects that use employee data. A DPIA is a systematic analysis of a business’ processes that helps them identify and minimize various data protection risks. 

This all sounds simple, but since the laws are new and changing regularly, many are confused about who must deploy DPIAs and in which situations. As other countries also start requiring DPIAs, this adds to the confusion further. 

If you’re looking to properly handle HR data in the workplace and remain compliant with privacy protection laws, this article will tell you when and how to use DPIAs to process your employees’ records. 

How to use DPIA to process employee records

It’s important to note that the DPIA needs to be done prior to the monitoring or processing of data.  According to the Data Protection Act 2018, this should be done prior to processing data that is “likely to result in a high risk” to the person. 

Doing a DPIA is a challenge, but if you know what to include in it, this will help you ensure compliance. According to this article on data protection impact, a good DPIA includes the following:

  • Information about the person whose data your company is processing
  • The type of data you’ll process and use
  • The context, nature, and scope of processing
  • Why and how you’ll be using the information
  • Identification and thorough assessment of privacy risks for the person
  • Measures you plan to take to prevent or minimize the risks you determined

If you gather all this information in an assessment, you’ll know what steps to take to be GDPR compliant. And if you are looking for ways to make this simpler and more effective, Osano’s Data Discovery platform will keep track of all the information you have, where you store it, and who has access. 


Characteristics of a good DPIA

According to the ICO, for a DPIA to have a positive outcome, it should:

  • Cover the company’s compliance with the privacy act
  • Balance the employee’s rights
  • Help the employee see that the company has considered all risks and met all data protection obligations

Once you complete a DPIA, it should be signed off, followed by incorporating any measures that were identified in the assessment. If while creating the document, the employee identifies a high risk without a good solution in sight, they can decide either to

  • Request guidance from the ICO or 
  • Accept the risk and go ahead with the data processing

Here is an ICO recommendation on the matter:


Now that you know the how, let’s move on to the when. 

When you should deploy DPIA to process employee records

How do you assess if something is ‘high risk’?

To do this, you should consider the likelihood of harm to your employee. Once you see a likelihood of harm, the next move is to assess the severity of that harm. There are 3 scenarios that you can come across.

If the harm is highly likely, you should deploy DPIA. 

If it’s highly unlikely and without severity, you don’t need DPIA.

If the risk is less likely but the harm is severe, you should consider deploying DPIA.


If we look at this from the perspective of an employee, the most likely scenario where you should complete a DPIA is if you plan to use:

  1. Profiling or automated data processing with the goal to make predictions. Employers often use this to access employee benefits, introduce a testing policy in the workplace (such as drug or alcohol testing), etc.
  2. Biometric data such as retinal scanners and fingerprint scanners used to access the workplace. 
  3. Electronic surveillance of the employee while they are at work, including cameras in the office or monitoring their internet usage.
  4. Tracking devices that record their behaviors and location such as CCTV monitors or tachographs in the company vehicles.

Keep in mind that these are just examples of situations where you should deploy DPIAs. Every company must assess the situations their employees are in to determine whether or not they need one. 

Use DPIAs to avoid penalties and keep your team happy

Let us give you an extra tip here. If you aren’t sure whether or not the risk requires a DPIA or not, do it anyway! These assessments are created to help you cover your basis and be compliant with privacy data regulations. Taking measures to protect your team’s data can do wonders for your reputation as an employer, and help you keep your employees safe.