Data Protection Impact Assessments (DPIA)

Data Protection Impact Assessment

The EU GDPR (General Data Protection Regulation) became a legal requirement across the EU on 25 May 2018.  The legislation provides greater data privacy for EU based individuals.  Businesses and organizations subject to GDPR, are required to conduct a Data Protection Impact Assessment (DPIA) before processing data to ensure that any data protection risks can be mitigated.

A DPIA is a methodical process which will allow you to justify, assess and lessen the privacy risks when processing personal data of an EU resident.

This article is part of our Introduction to GDPR, which aims to help you understand the General Data Protection Regulations and your obligations under the law.  However, while industry experts have put together our guide, it does not constitute legal advice.  If you required definitive legal guidance, we suggest seeking professional legal advice or visiting the most appropriate Data Protection Authority (DPA).

What is a data protection impact assessment?Data Protection Impact Assessment

A data protection impact assessment (DPIA), also referred to as privacy impact assessment (PIA), is a  method for assessing risks relating to personal data processing activities.

Instances when a DPIA may be carried out include when introducing new data processing processes, systems or technologies, or when there a likelihood of high risk to data subjects’ rights and freedoms when processing personal data.

A data protection impact assessment encourages a risk-based approach.  This approach ensures organization don’t waste resources in an attempt to mitigate threats which have a low probability of occurring or will have little impact.

Data protection impact assessment process

You have to carry out DPIA as soon as possible in any new work or work life cycle. It will let you implement the findings and proper recommendations into the whole data processing designs.

GDPR does not state what type of DPIA process that you have to follow. However, the method includes these few steps.

There are three different categories of doing processing that needs a DPIA:

  • A substantial and structured profiled with significant effects
  • A large amount of private data appropriately used
  • It is monitored in public

Moreover, the ICO states there are ten other types of processing that need a DPIA:

  • The latest computer technology
  • There is no service based on automatic decision-making, which includes profiling
  • There is a lot of data subject profiling
  • Biometric information processing
  • Plenty of generic information processing, unless a health expert that provides health care to the individual
  • Combine and combine private information attained from different sources
  • Non-transparent processing of private information attained from another source in particular conditions
  • Processing involves taking down a data project’s different location or behavior, which includes but does not limit the platform online
  • It is using the information to target underage data subjects or other data subjects that are vulnerable
  • Where processing will pose as physical harm when a data breach happens

View examples of processing that are high risks to data subjects.

It is a proper practice to produce a DPIA for other big projects, which need private information to be processed.

Steps to conduct a Data Protection Impact Assessment

The GDPR allows organizations to use a data protection impact assessment framework which complements their existing processes.

Data Protection Impact Assessment

The steps below are in accordance with the guidance provided by the ICO:

 1. Identify the need for a DPIA

  • If you have one, consult your data protection officer (DPO)
  • Determine whether your processing requires a DPIA
  • Use the ICO screening checklist
  • If you decide a DPIA is unnecessary, document your decision and the reasons for it
  • If you determine a DPIA is necessary, continue to step 2

 2. Document the data processing

The context, nature, scope and purpose of the processing should be documented, including:

  • How the data will be obtained, stored and used
  • Who is the data shared with
  • How the data will be protected and what security measured will be used
  • The nature, sensitivity, volume, and variety of data
  • The duration, extent, and frequency of the processing
  • How many data subjects are involved
  • Where was the data obtained from
  • Identify any data subjects which are children or other vulnerable individuals
  • Where relevant, your legitimate interests

 3. Consider Consultation

  • Unless there is a good reason not to, collect and capture views of individuals or their representatives. One of the ways that this can be achieved is through a general public consultation
  • where necessary, ask data processors for assistance
  • Consult with relevant internal stakeholders, such as security teams
  • Where appropriate, obtain impartial, independent, and professional external advice, i.e. legal advice

 4. Assess necessity and proportionality

Evaluate and document:

  • If your plans can adequately achieve the purpose
  • Whether the same result can be attained any other way

You will need to elaborate on how you will ensure you comply with the GDPR’s data processing principles, incorporating:

  • The lawful basis for your processing
  • How data subjects will be provided with privacy information
  • How will you enable the data subjects’ rights
  • All further the measures that you may undertake to ensure data processors are meeting legal compliance

 5. Identify and assess risks

think about how your data processing can affect data subjects. Possible impacts of processing may include:

  • Financial or economic disadvantage or loss
  • A restricted ability of data subject to obtain opportunities or services
  • Social impacts

Also consider how different types of a data breach may be affect data subjects, depending on the severity and likelihood of the risks.  Evaluate the severity and probability of security risks, and determine if they are within acceptable levels.  Examples of types of data breach include:

  • Illegal or unauthorized access to personal data
  • personal data which has been lost or modified

Learn more about risk assessment methodology

 6. Identify measures to mitigate the risks

For each of the risks identified, evaluate and record the source, and options for reducing the risk. Such options may include:

  • Lessening the retention period of the data
  • Implementing enhanced technical security measures
  • Taking steps to anonymize or pseudonymize the data

 7. Sign off and record outcomes

  • Document how each risk is to be treated, and any remaining residual risk
  • In the instance that you still have high risks which cannot be mitigated, the data protection authority should be consulting before processing personal data

Once signed off, the DPIA’s outcomes should be incorporated into your project, and mechanism put in place to monitor its ongoing performance (steps 8 and 9).

The ICO provides a practice code for carrying out privacy assessments. View the guide for the process of DPIA.

Data protection impact assessment template

You can implement the DPIA template, or make your own. If you want to make your own, you have to refer to the Europe criteria for a proper DPIA.

If you have executed the DPIA and stated that it is of high risk, you cannot take any steps to cut down this risk, and you might have to ask for help from the ICO. You also cannot start processing until you have consulted the ICO expert.

If you can successful reduce the risk that has been identified by the data protection impact assessment, then you do not have to seek help from the ICO.

Privacy by design and default

A DPIA is a central component of the GDPR latest’ privacy of the design and the primary approach. The law states that there is accountability for data controllers to put in technical and company measures for data protection into their activities for processing information.

In other words, GDPR needs to have:

  • Data protection by design – Data controllers must use security measures in a proper place to control and cut down personal information processing.
  • Default protection for private information – data controllers can only process information that is needed, so that it is required, and store the information that is required.

Integrating privacy features for data privacy into your project designs that will give you help in:

  • Identify critical issues at an early phase.
  • Save time and resources when identifying issues fast.
  • Increase the awareness of protecting information and privacy across the company.
  • Cut down the potential of a GDPR getting breached.
  • Cut down intrusion and adverse effects on workers’ processing of the data.

The ICO has sent down different guides on designs for privacy.

Breach of DPIA duties under GDPR

Failure to carry out proper DPIA when it is required is a breach of GDPR.  Such a violation could result in fines up to 2 per cent of the businesses’ annual revenue turnover or a total fine of 10M euros, whichever is higher. Check it out to learn more about the penalties of GDPR and how to reinforce it.

You might also like