GDPR: The 4 Essential Parts of a DPIA
What is a Data Protection Impact Assessment?
A Data Protection Impact Assessment (DPIA) provides a methodical and comprehensive way to analyze the processing of personal information and help to identify and mitigate data protection risks.
Under the GDPR businesses are legally required to carry out a DPIA if any type of processing is likely to result in a high risk to the data subject, as stated in Article 35 of the GDPR.
Failure to carry out a DPIA in such cases can potentially leave a business wide open to enforcement action, including a fine of up to €10 million, or 2% of global annual turnover, whichever is highest.
That said, DPIAs are not simply a compliance exercise…
A DPIA enables businesses to prioritize risks and handle those risks proportionately, in order to make advised decisions. It also serves to demonstrate that the business has implemented appropriate data privacy procedures and controls, which help to resolve problems at an early stage.
Identifying a problem early on can often mean a simpler and less costly solution, as well as avoiding potential reputational damage.
In general, consistent use of DPIAs increasesthe awareness of privacy and data protection issues within your organisation and ensures that all relevant staff involved in designing projects think about privacy at the early stages and adopt a ‘data protection by design’ approach.
~ Information Commissioner’s Office
How and When to use a DPIA
The Article 29 Working Party provide nine processing operations “likely to result in a high risk” . These can serve as useful guidance for determining when data-processing activities match the “high risk” level. This is the point when a company should seriously consider conducting a DPIA if it engages in any of the following processing activities:
Profiling, evaluating, or scoring data subjects (e.g., for predictive purposes).
Processing sensitive data or data of a highly personal nature.
Large-scale data processing.
Matching or combining data sets.
Processing data concerning vulnerable data subjects.
Innovative uses or applications of new technological or organizational solutions to personal data.
A Data Protection Impact Assessment can can be used for an individual processing operation, or for a group of similar processing operations. In some situations it could be possible to rely on an existing DPIA, as long as it covers a similar processing operation with similar risks. A group of controllers can also do a joint DPIA for a group project or industry-wide initiative.
A Step-by-Step Approach
GDPR Article 35.7., sets the minimum elements to be assessed. These are:
37.5 (a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
This requires a detailed listing of the data processing, including;
the legal basis for processing;
categories and types of personal data being processed;
details of all stakeholders, Data Controllers and Data Processors; and
details of data flows i.e. is the data transferred/disclosed to a third party?
37.5 (b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
This means that the DPIA must provide a proportionality analysis. In simple terms, are the used data essential in order to fulfill the intended objective?
The DPIA must explain:
the objective of processing the data;
the reasons for processing the data in a particular way, to meet the desired objective?; and
whether or not there other ways that the task can be completed? (it is necessary to explain why the chosen processing method is followed.)
! It is important to carefully consider whether are simpler (less risky) ways of achieving the same objective?
37.5 (c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
Generally, these risks relate to the “rights and freedoms of natural persons”. This section of Article 37.5 refers to Recital 75, which states the following:
The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade-union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.
In reality, there are even more types of risk we could list, including:
reversal of pseudonymisation;
confidentiality breach of privileged data.
Confused? Don’t be. The important thing to remember here, is that this step considers the current and existing set of measures from a legal, technical and organizational perspective.
The core objective is to control any risks that may be identified before the commencement of data processing.
37.5 (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
Conducting a DPIA is a risk-based analysis process. All potential risks need to be identified, evaluated and documented. While some may regard this as as exercise in “looking for problems”, risk analysis should really be viewed and performed on the basis of likelihood and consequential impact.
The DPIA must take into account the nature, scope and context of processing personal data. Every conceivable processing scenario that relates to the collection, storage, use and deletion of personal data must be considered.
A vital part of a DPIA is the requirement to list risk mitigation measures. Such measures may include a technology based approach to risk-reduction, e.g. in order to protecting sensitive data during electronic transfer, an end-to-end email encryption service can be used.
Once privacy risks have been identified, the company’s options for addressing each identified risk or threat, appropriate privacy control strategies must be described, and only then, can any remaining risk be assessed.
The completed DPIA report, (which should be periodically reviewed - particularly when a process is subject to change ) contributes to the organization’s compliance to the GDPR principle of accountability.
The Value of a DPIA
A Data Protection Impact Assessment brings value to any organization that is required to comply with the GDPR. And while it is true that conducting a DPIA can be a lengthy and time-consuming exercise, a DPIA is like getting the “green light” for compliance with specific data processing
It can also act as a pre-analysis of the company’s data processing by the DPIA team members, while demonstrating good faith to the national regulator, as well as to the company’s valued customers.
NOTE: This article is provided for informational purposes only and does not constitute legal or professional advice. The Data Privacy Group recommends that businesses engage the services of an experience data privacy practitioner and/or data privacy attorney when preparing for compliance with any data protection and privacy legislation.