Data Protection Impact Assessment Introduction & Background
The GDPR compliance deadline has passed, so organizations should have a documented process for conducting Data Protection Impact Assessments (DPIAs) and Privacy Impact Assessments (PIAs).
However, before building a DPIA program, it is useful to review and understand what a DPIA is, when it is needed, and how it should be conducted.
What is Data Protection Impact Assessment (DPIA)?
A DPIA is designed to help an organization with risk assessment associated with data processing activities that may pose a threat or high risk to the rights and freedoms of individuals.
A privacy impact assessment helps to identify privacy risks during the development of a program life cycle.
A PIA outlines how personal information will be handled and secured to maintain privacy.
When is a DPIA required?
The GDPR requires that DPIAs be conducted before a processing activity takes place that may pose a “high risk” to the rights and freedoms of individuals.
The GDPR does not define the types of processing that are likely to result in such a risk.
The Article 29 Working Party has, however, provided sample categories of high-risk processing, which can serve as a guide.
The categories include profiling and predictive processing, automated-decision making that has legal effects, systematic monitoring, the processing of sensitive data, and processing that relies on new technology.
One example of high-risk processing in the evaluation or scoring category would be conducting credit checks.
While the GDPR does not dictate the specific requirements of how organizations are supposed to conduct DPIAs, it does provide four elements that a DPIA assessment must contain:
- a systematic description of the processing operations and their purposes;
- an assessment of the necessity and proportionality;
- an assessment of the risks; and
- the measures needed to address the risks.
Benefits of privacy by design or embedding data privacy features early in design:
- Early identification of potential threats and problems.
- Early reduction of problems can save time and money.
- Increased privacy and data protection across the organization.
- GDPR compliancy.
DPIA Best Practices
Data Flow Mapping & Data Inventory
Before creating a DPIA process, it is useful to have a picture of what information your organization has, where the data is located, and how it flows through the organization.
With that in mind, it is essential to develop a data inventory and map the organization’s business process flows or systems.
Use Assessments Appropriate for Processing Risk
Not all systems and processes require the same type of assessment. The type of assessment conducted is dependent on the type of processing activity assessed, and the privacy and data protection compliance goals of an organization.
Assessments are designed to address varying levels of data processing risk and complexity. They can be focused around specific regulations such as EU GDPR, or CCPA, and specific products and services.
Make sure the assessment you choose will help you with your EU GDPR Article 35 compliance goals.
Personal data processing where a DPIA is likely required:
- Hospital processing -patients’ genetic and health data.
- Personal sensitive data from research projects or clinical trials.
- An organization using an intelligent video analysis system to single out cars and automatically recognize registration plates.
- An organization that monitors publicly accessible areas via CCTV, body-devices, CCTV.
- Companies that monitor employees’ activities, including their workstations and Internet activity.
- Gathering of public social media data for generating profiles.
- Institutions that create national-level credit rating or fraud databases.
- Organizations that process large-scale special categories of data (e.g. health, religion or ethnic origin)
- Legal processing of personal data relating to criminal convictions and offenses.
- Evaluation of personal data based on automated decisions such as a denial of online credit applications or e-recruiting without a human based decision.
DPIA Program Essential Elements
The six essential elements that make up a sustainable DPIA program are: integrated governance, risk assessment, resource allocation, policies & standards, processes, and awareness & training.
The first step in building a sustainable program is establishing program leadership. Depending upon your organization’s goals, the structure may vary.
For example, a global corporation may have one global stakeholder along with several regional stakeholders.
Classifying data-related risks will require taking a collaborative approach because stakeholders view risk differently. Do not forget to consider unstructured data when assessing risk.
Assign knowledgeable and trained personnel to defined roles and responsibilities. Outlining the resources needed will help establish a budget.
Policies and Standards
Set procedures and guidelines to define and deploy effective and sustainable governance and controls for managing data-related risks.
The assessment process will help determine whether there are any gaps between the standards and the implemented practices.
Develop a process that fits the organization’s size and privacy maturity level. Following a documented process, especially for PIAs/DPIAs will ensure consistency.
Awareness & Training
This step is crucial to ensure that the program continually evolves and improves. Communicate expectations to the stakeholders and organization, provide contextual training, and establish training cycles.
Who should conduct a DPIA?
A designated data controller, data protection officer, or someone with data protection knowledge and expertise should be responsible for the DPIA. Or select a reputable outsourced data privacy expert.