What is a DPIA?
A Data Protection Impact Assessment (DPIA) is a process that systematically identifies and minimizes risks related to personal data processing. DPIA should help you demonstrate your compliance with data protection obligations and your accountability obligations.
EU Guidelines define DPIA as:
“… a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them.”
Organizations usually conduct a DPIA once they engage in a new data processing activity, or modify an existing processing activity (e.g. when new technology is deployed).
DPIA is a formal procedure that aims to record and evaluate an activity specifically related to the processing of personal data. DPIA assesses the level of a risk considering both the severity and likelihood of impact on individuals.
DPIA and GDPR
Implementation of a Data Protection Impact Assessment (DPIA) is an important aspect of the General Data Protection Regulation (GDPR) accountability obligations of an organization.
Under the GDPR, DPIA is a legal requirement if a data controller envisages a processing activity that is “likely to result in a high risk to the rights and freedoms of natural persons” (GDPR, Article 35).
“Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
If in such case, the controller fails to undertake a DPIA, they risk administrative fine in amount up to 2% of the organization’s annual global turnover, or €10 million – whichever of the two is higher.
Why you should conduct a DPIA?
Now that we have your attention, we should also say that DPIA is not something to be afraid of.
On the contrary; a DPIA can bring benefits to your organization, such that even if you are not required to undertake it, it is highly recommended to do so.
For example, when you are about to introduce a new product or a service, you might be considering the DPIA, as it will greatly help you adhere to the core principles of personal data processing.
This doesn’t necessarily mean that conducting a DPIA is an easy exercise. One of the aggravating factors is the fact that it is not a one-size-fits-all process that would be easy to tailor for every type of organization.
DPIA is quite a comprehensive exercise, and it should include a risk assessment process, accompanied by a list of measures an organization will take to reduce the risks.
So when should a data protection impact assessment be conducted?
When do you need to conduct a DPIA?
As we mentioned before, you should conduct a DPIA before you begin any type of processing that is likely to result in a high risk.
This means you need to screen for risk factors that point to the potentially serious impact on individuals.
According to the GDPR, you must conduct a DPIA if you plan to:
- Use systematic and extensive profiling with significant effects;
- Process special category or criminal offence data on a large scale; or
- Systematically monitor publicly accessible places on a large scale.
If you are trying to assess if your processing is likely to result in high risk, there are Guidelines on Data Protection Impact Assessment (DPIA).
In addition, the supervisory authorities are obligate to provide a public list of the kind of processing operations which are subject to the requirement for a data protection impact assessment.
Elements of a DPIA
1. The purpose of processing
Among the very first questions you as a data controller should ask are:
- Why do you want to process personal data?
- Is there any legitimate interest for processing?
- What will be the result of the processing?
- What will you achieve with the processing?
2. The context of data processing
This should give you a clear picture of what might affect expectations. Some questions to ask will include:
- What is the source of the data which you want to process?
- How does your relationship with data subjects look like?
If you have any experience in specific types of processing that you are about to repeat, make sure to highlight it too. Furthermore, GDPR assures various data subjects’ rights, so you need to specify if your data subjects have control over the data you collect and process.
3. The nature of data processing
This is the part where you have to be clear about how you plan to use the data. Some questions to help you might be:
- Who are the people with access to the data?
- Who do we share the data with?
- How is the data collected and stored?
- What are the defined retention periods?
- What security measures have you undertaken to protect the data?
- How do you use the data?
4. The scope of data processing
Here you will consider what the processing of personal data covers, for example:
- Duration of the processing
- The sensitivity of the personal data
- Frequency and extent of the processing
- The number of data subjects whose personal data are involved in the processing
Make sure to consult all parties involved, if necessary, especially data processors.
Although it is a data controller’s responsibility to conduct DPIAs, GDPR stipulates that data processors must “assist the controller in ensuring compliance” (GDPR, Article 28).
Last but not least, consider getting in touch with IT experts and legal advisors to ensure your processes are compliant.
Identifying and assessing risks
To identify a privacy risk, you must start with the impact that potential risk will have and the likelihood of its occurrence.
Professionals involved in the risk assessment process like to use structured matrices, similar to the one shown below.
The matrix in the example video is from our Data Privacy Manager solution, which shows a risk that is Probable to occur and will have a Major impact once it occurs. According to the matrix, it results in a MODERATE risk.
Other methods for assessing risks can be used. However, the one presented here is pretty straightforward and easy to comprehend.
Final thoughts- What else to keep in mind when conducting a DPIA?
Organizations can have tens, sometimes even hundreds, different processing activities, depending on the organization’s industry and the complexity.
However, they all have in common the need to assign the responsibility of ownership for each and every processing activity.
In Data Privacy Manager parlance, this is known as Process activity owner, or PAO for short.
The role of a PAO is to manage processing activities within her or his organizational unit, and to collaborate with, and seek guidance from, the DPO during the data protection impact assessment.
This confirms the DPO’s role as the central and key player when it comes to data privacy and processing of personal data.
Conducting a Data Protection Impact Assessment is not a one-time process that you can perform and forget about it, as it serves to help you identify those processing activities that could impose a high risk to data subjects’ rights.
The process activity owner should revisit the DPIA whenever any of its circumstances change, updating it accordingly.
At the very extreme end of the spectrum, should your DPIA result in very high risk for the rights and freedoms of data subjects, you are obliged to refrain from processing and reach out to your supervisory authority for consultation, provided that you are not able to mitigate the risk.