The GDPR way to assess data protection
The Data Protection Impact Assessment (DPIA) is a new requirement of the GDPR. It is a procedure designed to determine the risks involved in data processing, retention and collection operations. The aim of a DPIA is to generate mitigation strategies to improve compliance and data privacy outcomes.
A DPIA is recommended when undertaking any process involving the use of public data. A DPIA is required, however, if any changes or additions to your data collection, retention or processing capabilities are “likely to result in a high risk” to individuals. ‘High risk’ is to be interpreted as either a high probability of some harm, or a lower probability of serious harm.
This article will explain the DPIA and provide an outline for how your business can begin to develop a DPIA procedure.
The Basics of the DPIA
In brief, a DPIA should:
- Describe the nature, scope, purpose and context of the data processing in question.
- Assess the necessity of said data use in proportion to compliance measures.
- Identify and assess the risks to individuals.
- Identify any additional measures your organisation could take to mitigate those risks.
For businesses with minimal and static data collection procedures, the DPIA will be something you have to conduct in order to become compliant with the GDPR. For organisations engaged in dynamic and large-scale data collection procedures, the DPIA will become part of your everyday operations.
In either case, it is a good idea to incorporate a DPIA awareness checklist into your development process wherever data is concerned. From a business perspective, the sooner a project can undergo a DPIA, the less disruption it will cause. Legally, a DPIA is required prior to the start of data processing if the nature of that processing meets the legislated criteria.
It is important to take the DPIA seriously. The GDPR has placed the responsibility to demonstrate compliance on the organisation(s) using the data. Fines for a lack of compliance have increased to a maximum of 4% of annual turnover or €20 million, whichever is greater.
Both the organisation(s) determining how the data should be used (controllers) and those undertaking the data collection or processing (processors) are liable to undertake a DPIA. The controller and processor could be the same organisation or multiple organisations. Regardless, all parties are now required to participate in the DPIA and are concurrently responsible for data protection.
It is also important to note that the size of your businesses and its location in the EU are irrelevant. The use of EU citizens data is the determining factor. What matters to the authority of the GDPR is the nature, size and scope of your data collection, and its closeness to your core purpose.
- The DPIA is a required responsibility of both data controllers and data processors.
- The location and size of your business are irrelevant to the necessity to carry out a DIPA.
- What matters is the use if EU citizen data along with the size and scope of your data collection, and its closeness to your core purpose.
- Incorporate DPIA awareness into your development procedures wherever data processing is concerned.
The first thing to do is think about how to integrate the DPIA into your existing operational structure. The size and scope of your data processing operations will determine the best solution for you. Because the DPIA is primarily used when there are changes or additions to your data policies, the degree of ongoing change will be a major factor in determining your relationship the DPIA.
The ICO (Information Commissioner's Office) provides the following criteria as an awareness checklist for consideration when looking at how to build DPIA processes into your organisational structure. Those recommendations are:
- Develop organisational-wide training that enables staff to understand the need for a DPIA at the early stages of any plan utilising personal data.
- At a minimum, this means ensuring a reference to DPIA requirements in existing policies, processes and procedures.
- Create a screening checklist to understand the processes that require a DPIA.
- Create a documented process for DPIA execution.
- Train relevant staff on how to carry out a DPIA.
What is a DPIA? It is the Responsibility of Your DPO (Data Protection Officer)
The GDPR has created a number of changes to data protection policies and organisational operations. This includes expanding the rights of individuals over their data, including the Right to be Forgotten and the Right to Object to Processing. Another change is the creation of the Data Protection Officer (DPO).
Not all parts of the GDPR apply to every business or every data processing operation. The DPIA is certainly one of those selectively applied obligations. You are encouraged to voluntarily undertake DPIAs. However, if you are required to undertake even a single DPIA, you are also likely to be required to appoint a DPO.
The DPO is a new breed of data officer. They basically function as a public advocate and regulatory representative within your organisation. You are required to provide your DPO with lines of communication to the highest levels of management and/or the board, along with the resources necessary to carry out their obligations under the GDPR.
A primary job of the DPO is to undertake DPIAs. Depending on the project, other employees can take the lead on running the DPIA. However, you are obligated to consult your DPO (if you have one) during the DPIA process. You are also required to record the opinion of your DPO and explain why their recommendations were not acted upon if overruled.
You are legally obligated to inform your DPO of any changes or additions to your data collection, processing or retention operations — whether or not they require a DPIA. It is the DPO’s responsibility to determine if a DPIA is necessary. You are not allowed to place limitations on a DPO’s assessments, or attempt to influence their conclusions.
The DPO is encouraged to inform the relevant regulatory body if they determine the existence of unmitigated and disproportionate ‘high risks’ to public data. These risks can be discovered through a DIPA or other means.
- If you are obligated to undertake DPIAs, you will also likely be required to appoint a DPO.
- Your DPO must be consulted throughout the DPIA process.
- The DPO must be informed of changes to your data collection, processing or retention operations.
- Recommendations of the DPO are not binding, however, you need to record the reasons they were overruled.
When is a DPIA Necessary? Creating a Risk Assessment Checklist:
When determining if a DPIA is necessary, it is good to err on the side of caution. One of the big changes of the GDPR is an emphasis on the need to demonstrate compliance. It is incumbent on organisations to keep records, explain their decision making process and show why they kept the personal data that they chose to process, and how they are actively protecting that information. It is important for you to be able to demonstrate to a regulator that the best practices for data protection are being implemented.
The ICO provides the following criteria as an awareness checklist when considering the implementation of a DPIA.
Your organisation should carry out a DPIA when planning to:
- Undertake systematic and extensive profiling, particularly for automated decisioning.
- Undertake profiling on a large-scale.
- Process personal data without seeking consent directly from the individual.
- Process special category data or criminal offence data.
- Process genetic or biometric data.
- Use new technology for the processing or collection of personal data.
- Undertake the systematic and large-scale monitoring of publicly accessible places.
- Take data from multiple sources to combine, compare or match.
- Track individual’s online or offline location or behaviour.
- Process the data of children — particularly for automated decisioning, marketing purposes, profiling or the offer of direct online services.
- Processing of personal data that could result in physical harm in the event of a security breach.
- Change the nature, scope, context or purpose of data processing previously subject to a DPIA.
Your organisation should consider undertaking a DPIA if:
- Evaluating or scoring personal information.
- Undertaking automated decision-making with substantial effects.
- Processing a large amount of data.
- Processing data that is highly personal or concerning vulnerable individuals.
- Using innovative technologies or organisational structures.
- Undertaking any major project involving the use of personal data.
DPIA Process Checklist
Once you have decided that you need to undertake a DPIA, you need to do a good job.
Your DPIA should:
- Describe the nature, scope, context and purpose of the data processing.
- Engage with data processors to understand and document processing activities and identify any associated risks.
- Consider how to best consult relevant stakeholders — data subjects or their representatives.
- Undertake an objective assessment of the likelihood, magnitude and severity of any risks involved in your data processing activities.
- Confirm that the processes being undertaken are necessary and proportionate to the risks.
- Describe how data protection compliance is being ensured.
- Identify any additional measures that can be put in place to eliminate or reduce risk.
- Seek the advice of you DPO.
- Record the decision-making process and outcome.
- That includes any dissenting opinions on behalf of the DPO or other consulted individuals.
Following assessment, you must:
- Implement identified measures and integrate them into existing project plans.
- Consult the ICO or other relevant regulatory bodies if necessary.
- Review and revisit DPIAs when necessary.
You are not required to publish your DPIA under the GDPR. However, there are benefits of publication. It demonstrates compliance and helps engender trust. The ICO recommends publishing DPIA results whenever possible — removing sensitive details if necessary.
Summary: What is a DPIA? It is something you need to integrate into every aspect of your data processing procedures
The DPIA is similar to privacy impact assessments (PIA) already carried out by some organisations. However, the legal requirements of the DPIA necessitate a review of assessment procedures to ensure compliance.
If, however, you can prove that your previous privacy impact assessment standards meet DPIA criteria, it is not necessary to undertake additional assessments unless there is a change to the nature, scope, context or purpose of previously assessed processing.
A DPIA should consider compliance and risks, but also broader risks to the rights and freedoms of individuals. This should include the prospect of any substantial social or economic disadvantage. The focus is on potential harm. That can be physical, material or non-material harm. It can also mean harm to individuals or society at large.
A DPIA must consider both the severity and likelihood of any impact. You are not obligated to remove risk altogether, but you are required to minimise risks and display how remaining risks are justified. It is then important to act on identified risks to ensure that best practices are followed.
The DPIA is a central and important aspect of GDPR compliance. It is one of the main tools you have to make sure that you are following the new guidelines. The nature of your data processing operations will determine how important the DPIA will become to your day-to-day operations.
Fundamentally, it is important to build DPIA considerations and procedures into the foundations of how you interact with data. This will not only ensure compliance, it will make compliance easier from an operational and business standpoint.