The EU GDPR (General Data Protection Regulation) became a legal requirement across the EU on 25 May 2018. The legislation provides greater data privacy for EU based individuals. Businesses and organizations subject to GDPR, are required to conduct a Data Protection Impact Assessment (DPIA) before processing data to ensure that any data protection risks can be mitigated.
A DPIA is a methodical process which will allow you to justify, assess and lessen the privacy risks when processing personal data of an EU resident.
This article is part of our Introduction to GDPR, which aims to help you understand the General Data Protection Regulations and your obligations under the law. However, while industry experts have put together our guide, it does not constitute legal advice. If you required definitive legal guidance, we suggest seeking professional legal advice or visiting the most appropriate Data Protection Authority (DPA).
A data protection impact assessment (DPIA), also referred to as privacy impact assessment (PIA), is a method for assessing risks relating to personal data processing activities.
Instances when a DPIA may be carried out include when introducing new data processing processes, systems or technologies, or when there a likelihood of high risk to data subjects’ rights and freedoms when processing personal data.
A data protection impact assessment encourages a risk-based approach. This approach ensures organization don’t waste resources in an attempt to mitigate threats which have a low probability of occurring or will have little impact.
Data protection impact assessment process
You have to carry out DPIA as soon as possible in any new work or work life cycle. It will let you implement the findings and proper recommendations into the whole data processing designs.
GDPR does not state what type of DPIA process that you have to follow. However, the method includes these few steps.
There are three different categories of doing processing that needs a DPIA:
A substantial and structured profiled with significant effects
A large amount of private data appropriately used
It is monitored in public
Moreover, the ICO states there are ten other types of processing that need a DPIA:
The latest computer technology
There is no service based on automatic decision-making, which includes profiling
There is a lot of data subject profiling
Biometric information processing
Plenty of generic information processing, unless a health expert that provides health care to the individual
Combine and combine private information attained from different sources
Non-transparent processing of private information attained from another source in particular conditions
Processing involves taking down a data project’s different location or behavior, which includes but does not limit the platform online
It is using the information to target underage data subjects or other data subjects that are vulnerable
Where processing will pose as physical harm when a data breach happens
The nature, sensitivity, volume, and variety of data
The duration, extent, and frequency of the processing
How many data subjects are involved
Where was the data obtained from
Identify any data subjects which are children or other vulnerable individuals
Where relevant, your legitimate interests
3. Consider Consultation
Unless there is a good reason not to, collect and capture views of individuals or their representatives. One of the ways that this can be achieved is through a general public consultation
where necessary, ask data processors for assistance
Consult with relevant internal stakeholders, such as security teams
Where appropriate, obtain impartial, independent, and professional external advice, i.e. legal advice
4. Assess necessity and proportionality
Evaluate and document:
If your plans can adequately achieve the purpose
Whether the same result can be attained any other way
You will need to elaborate on how you will ensure you comply with the GDPR’s data processing principles, incorporating:
The lawful basis for your processing
How data subjects will be provided with privacy information
How will you enable the data subjects’ rights
All further the measures that you may undertake to ensure data processors are meeting legal compliance
5. Identify and assess risks
think about how your data processing can affect data subjects. Possible impacts of processing may include:
Financial or economic disadvantage or loss
A restricted ability of data subject to obtain opportunities or services
Social impacts
Also consider how different types of a data breach may be affect data subjects, depending on the severity and likelihood of the risks. Evaluate the severity and probability of security risks, and determine if they are within acceptable levels. Examples of types of data breach include:
For each of the risks identified, evaluate and record the source, and options for reducing the risk. Such options may include:
Lessening the retention period of the data
Implementing enhanced technical security measures
Taking steps to anonymize or pseudonymize the data
7. Sign off and record outcomes
Document how each risk is to be treated, and any remaining residual risk
In the instance that you still have high risks which cannot be mitigated, the data protection authority should be consulting before processing personal data
Once signed off, the DPIA’s outcomes should be incorporated into your project, and mechanism put in place to monitor its ongoing performance (steps 8 and 9).
If you have executed the DPIA and stated that it is of high risk, you cannot take any steps to cut down this risk, and you might have to ask for help from the ICO. You also cannot start processing until you have consulted the ICO expert.
If you can successful reduce the risk that has been identified by the data protection impact assessment, then you do not have to seek help from the ICO.
Privacy by design and default
A DPIA is a central component of the GDPR latest’ privacy of the design and the primary approach. The law states that there is accountability for data controllers to put in technical and company measures for data protection into their activities for processing information.
In other words, GDPR needs to have:
Data protection by design – Data controllers must use security measures in a proper place to control and cut down personal information processing.
Default protection for private information – data controllers can only process information that is needed, so that it is required, and store the information that is required.
Integrating privacy features for data privacy into your project designs that will give you help in:
Identify critical issues at an early phase.
Save time and resources when identifying issues fast.
Increase the awareness of protecting information and privacy across the company.
Cut down the potential of a GDPR getting breached.
Cut down intrusion and adverse effects on workers’ processing of the data.
Failure to carry out proper DPIA when it is required is a breach of GDPR. Such a violation could result in fines up to 2 per cent of the businesses’ annual revenue turnover or a total fine of 10M euros, whichever is higher. Check it out to learn more about the penalties of GDPR and how to reinforce it.