What is required for Data Protection Impact Assessment (DPIA)
“If we win here we will win everywhere. The world is a fine place and worth the fighting for and I hate very much to leave it.” - Ernest Hemingway
An appropriate quote when discussing the What, Why, Who, When and How of a DPIA.
What is a DPIA?
A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organisations to identify potential privacy issues before they arise and come up with a way to mitigate or avoid them.
The General Data Protection Regulation (GDPR) stipulates that you’ll need to conduct a DPIA for data processing that is “likely to result in a high risk”. But the GDPR doesn’t define “likely to result in a high risk” – so what does it actually mean?
Although the goal of the DPIA itself is to identify “high risk” in detail, you’ll need to screen for any red flags that indicate that you need to do a DPIA.
As a starting point, GDPR Article 35(3) sets out three types of processing that always require a DPIA:
1) Systematic and extensive profiling with significant effects:
“(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person”.
2) Large-scale use of sensitive data:
“(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10”.
3) Public monitoring:
“(c) a systematic monitoring of a publicly accessible area on a large scale”.
Why do we need to conduct a DPIA
DPIAs help with implementing Privacy by Design, as mandated by the GDPR ‘Data protection by design and by default’ [GDPR - Art 25].
Failure to adequately conduct a DPIA where required constitutes a breach of the GDPR. This could lead to administrative fines of up to 2% of your organisation’s annual global turnover or €10 million – whichever is greater.
Who will be responsible to conduct a DPIA?
As a data controller, your organisation is responsible for ensuring that the DPIA is carried out and you remain ultimately accountable for the GDPR Compliance.
Who should be involved in conducting a DPIA?
- Business Units/ Process owner
- Project Lead or Project Manager
When should a DPIA be conducted?
Where it indicates that a DPIA is required, the DPIA should be completed before any processing of personal data is undertaken (as per the GDPR) and before any key decisions are made that will be difficult or costly to revisit or amend. The project team should also allow time for any risks to be identified and mitigated or resolved. Typically, a DPIA should run in conjunction with the planning and development processes of a new project implementation.
How can we conduct a DPIA?
A DPIA should set out to include the following steps:
- Identify the need for a DPIA
- Identify the processing
- Data audit
- Data processing assessment
- Risk analysis
- Measure to mitigate risks
- Sign off and record outcomes
For further information on DPIAs please see our website.
Our offering along with our strategic partnership with Sytorus allows us to help organisations manage their data protection programmes using PrivacyEngine™, a Software-as-a-Service (SaaS) privacy management platform powered by Sytorus and built by technologists and data protection subject matter experts.