How to conduct Data Protection Impact Assessment under GDPR
One of the most important ways to demonstrate your company’s compliance with the EU’s General Data Protection Regulation (GDPR) is to prepare a Data Protection Impact Assessment (DPIA) for any high-risk data processing activities.
The GDPR requires a DPIA for any new projects that may involve “a high risk” to consumers’ personal information. These required DPIAs are used to identify and then mitigate against any data protection related risks, which may affect your company or the individuals it engages with.
Below, we’ll explain how to determine if a DPIA is needed and, if so, how to conduct the assessment.
DPIA Requirements under the GDPR
Article 35 of the GDPR covers DPIAs. The DPIA is a requirement under the GDPR as part of the “protection by design” principle. According to the law:
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
The language makes it clear that a DPIA is required by law under certain conditions, but how does a company determine if one is needed? Article 35(3) (a)-(c) sets out three types of conditions that require a DPIA:
- Systematic and extensive profiling with significant effects;
- Large-scale use of sensitive data; and
- Public monitoring.
Additionally, a company is expected to complete a DPIA if it is using new technologies, if it is using data processing to make automated decisions that could have legal effects, and if it is processing children’s data.
In other cases, where the “high-risk” standard is not met, companies should err on the side of caution and conduct a DPIA to minimize their liability and guarantee that best practices for data security and privacy are being followed.
How to conduct a Data Protection Impact Assessment
After determining that a DPIA is warranted, a company must take additional steps to complete the assessment making sure to include information required by law. Section 35(7) of the GDPR requires DPIAs to contain at least the following elements:
- “A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- An assessment of the risks to the rights and freedoms of data subjects; and
- The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned.”
It’s important to remember that a company is not required to eliminate all risks inherent to processing, but may simply minimize the effect or accept the risk as part of the processing. Once the appropriate measures have been taken, it is important to bring the DPIA to a conclusion and have one of the company’s officers sign off on the assessment.
Conducting a DPIA should happen prior to and during the planning stages of any new project, and may be an ongoing process. The process should involve all key individuals involved in the project in addition to any data protection or security officers in the company.
Templates on how to record and complete a DPAI are available to the public. Here are two of the more widely used templates:
- The UK’s Information Commissioner’s Office, which is responsible for enforcing the GDPR in that country, has prepared a Data Protection Impact Assessment template.
- Family Links Network provides a list of questions related to data protection issues that should be considered by National Societies prior to conducting a DPIA; see template here.
How Do DPIA Requirements Affect the Current US Privacy Laws
Although state DPIA requirements in California, Colorado and Virginia are similar, there are slight differences that require companies to be cautious. Additionally, requirements may be the subject of future regulations that expand or narrow the scope, or otherwise create new obligations for companies. Regardless, companies should start to look at their current policies and begin to prepare for these coming requirements.
* * * * * * *
For ADCG’s Breach Report and more news updates discussing: Updates to Quebec’s data privacy laws respecting the protection of biometric privacy; Max Schrems, through his organization My Privacy is None of your Business, statement regarding the proposed Trans-Atlantic Data Privacy Framework; EU’s agreement expanding on The Digital Services Act which is set to take effect in 2024; and threat actors deploying schemes to steal data using “chatbots”, click here.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.
Stay tuned for our newest episode as Jody Westby discusses the latest topics on our Privacy and Cybersecurity podcast this week. Our Podcasts are released every Thursday, here. They can also be enjoyed on Spotify and Apple Podcasts. Don’t forget to subscribe!