What Is A DPIA And How To Conduct It [Video & Infographics]
Implementation of a Data Protection Impact Assessment (DPIA) is an important aspect of the General Data Protection Regulation (GDPR) accountability obligations of an organization.

This article will help you clarify and explain the steps your organization can take to execute a DPIA.

What is a DPIA?

A Data Protection Impact Assessment is a process that identifies and minimizes risks related to personal data processing. Organizations usually conduct a DPIA once they engage in a new data processing activity, or when they modify an existing processing activity (e.g. when new technology is deployed).

DPIA is a formal procedure which aims to record and evaluate an activity that is specifically related to the processing of personal data.

Under the GDPR, DPIA is a legal requirement if a data controller envisages a processing activity that is “likely to result in a high risk to the rights and freedoms of natural persons” (GDPR, Article 35).

If in such case the controller fails to undertake a DPIA, they risk administrative fine in amount up to 2% of the organization’s annual global turnover, or €10 million – whichever of the two is higher.

Now that we have your attention, we should also say that DPIA is not something to be afraid of. On the contrary; a DPIA can bring benefits to your organization, such that even if you are not required to undertake it, it is highly recommended to do so.

For example, when you are about to introduce a new product or a service, you might be considering the DPIA, as it will greatly help you adhere to the core principles of personal data processing.

This doesn’t necessarily mean that conducting a DPIA is an easy exercise. One of the aggravating factors is the fact that it is not a one-size-fits-all process which would be easy to tailor for every type of organization.

DPIA is quite a comprehensive exercise, and it should include a risk assessment process, accompanied by a list of measures an organization will take to reduce the risks. So when should a data protection impact assessment be conducted?

Get 14-days Free Data Privacy Manager Trial 

Elements of a DPIA: Description of the processing?

1. The purpose of processing

Among very first questions you as a data controller should ask are:

• Why do you want to process personal data?
• Is there any legitimate interest for processing?
• What will be the result of the processing?
• What will you achieve with the processing?

2. The context of data processing

This should give you a clear picture of what might affect expectations. Some questions to ask will include:

• What is the source of the data which you want to process?
• How does your relationship with data subjects look like?

If you have any experience in specific types of processing that you are about to repeat, make sure to highlight it too. Furthermore, GDPR assures various data subjects’ rights, so you need to specify if your data subjects have control over the data you collect and process.

3. The nature of data processing

This is the part where you have to be clear about how you plan to use the data. Some questions to help you might be:

• Who are the people with access to the data?
• Who do we share the data with?
• How is the data collected and stored?
• What are the defined retention periods?
• What security measures have you undertaken to protect the data?
• How do you use the data?

4. The scope of data processing

Here you will consider what the processing of personal data covers, for example:

•Duration of the processing
•The sensitivity of the personal data
•Frequency and extent of the processing
•The number of data subjects whose personal data are involved in the processing

Make sure to consult all parties involved, if necessary, especially data processors. Although it is a data controller’s responsibility to conduct DPIAs, GDPR stipulates that data processors must “assist the controller in ensuring compliance” (GDPR, Article 28).

Last, but not least, consider getting in touch with IT experts and legal advisors to ensure your processes are compliant.

DPIA infographics

Identifying and assessing risks

In order to identify a privacy risk, you must start with the impact which potential risk will have and the likelihood of its occurrence.

Professionals involved in the risk assessment process like to use structured matrices, similar to the one shown below.

The matrix in the example video is from our Data Privacy Manager solution, which shows a risk that is Probable to occur and will have a Major impact once it occurs. According to the matrix, it results in a MODERATE risk.

DPIA risk score matrix

Other methods for assessing risks can be used. However, the one presented here is pretty straightforward and easy to comprehend.

What else to keep in mind when conducting DPIA?

Organizations can have tens, sometimes even hundreds, different processing activities, depending on the organization’s industry and complexity of the organization’s business.

However, they all have in common the need to assign the responsibility of ownership for each and every processing activity.

In DPM parlance, this is known as Process activity owner, or PAO for short. The role of a PAO is to manage processing activities within her or his organizational unit, but also to collaborate with, and seek guidance from, the DPO during the data protection impact assessment.

This confirms the role of the DPO as being the central and key player when it comes to data privacy and processing of personal data.

Conducting a Data Protection Impact Assessment is not a one-time process that you should perform and forget about it.

As it serves to help you identify those processing activities which could pose a high risk to data subjects’ rights, process activity owner should revisit the DPIA whenever any of its circumstances change, updating it accordingly.

At the very extreme end of the spectrum, should your DPIA result in very high risk for the rights and freedoms of data subjects, you are obliged to refrain from performing the related processing and reach out to your supervisory authority for consultation, provided that you are not able to mitigate the risk.

Take the guesswork out of the equation, reduce your compliance risks. 

Get 14-days Free Data Privacy Manager Trial!