Data Protection Impact Assessment

DPIA

What is Data Protection Impact Assessment [DPIA]?

DPIA is a process that helps organizations identify and mitigate privacy risks.

The objective of a DPIA is to investigate potential problems in advance so that they can be mitigated, thereby decreasing the likelihood of their occurrence and associated costs. Following that, organizations can take appropriate steps to mitigate and manage identified risks.

GDPR requires a Data Protection Impact Assessment (DPIA) when introducing new data processing processes, systems, or technologies. (GDPR Article 35)

DPIAs are critical for meeting the requirements for "data protection by design" and "data protection by default" as they help demonstrate compliance with data protection principles and the accountability principle. (GDPR Article 5.2, 25)

Conducting DPIAs before implementing or launching a new project involving the processing of personal data can help avoid non-compliance, the potential costs of a claim, and associated reputational damage.

When to do it?

GDPR requires DPIAs to be conducted 'prior to processing.' Therefore, organizations must ensure that no new projects are initiated before a DPIA is considered and, where necessary, conducted. As a result, determining whether a DPIA is required should be done early on as part of project management procedures.

Do I need a DPIA?

Ask yourself: Are you a controller or processor?

The controller is responsible for performing a DPIA.

Processors involved in relevant processing activities are required to assist under their contract with the controller, but they are not required to conduct DPIAs directly.

Ask yourself: What are the nature, scope, context, and purposes of the processing?

A DPIA is mandatory only if there is a high risk to data subjects' rights and freedoms or if otherwise required by law. (GDPR Article 35)

GDPR lists four situations requiring a DPIA:

1) A systematic and extensive evaluation of personal aspects of natural persons based on automated processing, including profiling, that would have legal or other significant effects on the persons.

2) Large-scale processing of special categories of data (Article 9.1) or personal data relating to criminal convictions and offenses (Article 10).

3) Systematic, large-scale public area monitoring.

4) Any processing on a list published by your competent supervisory authority or the European Data Protection Board.

This is a non-exhaustive list, and there are numerous data processing activities. Examples are provided in the list published by the EDPB (ex-data protection working party) Guidelines (Reference Below). Thus, it is essential to determine if your personal data processing activities fall into one of these categories.

You should consult with a DPO to identify these activities, as they should have the necessary experience and expertise.

If you do not have access to a DPO, you may contact the supervisory authority instead.

How to conduct DPIA?

Under Article 35(7) of the GDPR and the ICO's Code of Practice, the following steps must be taken:

1-Explain data processing activities and processing purposes

2-Assess the necessity and proportionality of the processing activities in relation to the purposes

3-Evaluate data protection risks

4-Identify measures to address risks

Even if a DPIA is not required for proposed processing activities, organizations must ensure that all proposed activities involving personal data adhere to GDPR principles.

After the DPIA:

Documenting agreed solutions is an essential part of the DPIA process.

Findings will need to be communicated internally, and a plan should be agreed upon on how the proposals will be integrated into the project. Additionally, it will be important to follow up with the project team to ensure the agreed-upon changes are implemented and have the desired impact. Completed DPIA can also be used as a post-implementation tool for future data protection audits and updates to DPIA.

In conclusion, DPIAs should be considered whenever new technologies or processes involving the collection, use, and sharing of personal data emerge or when significant changes are made to existing data processing activities, even if only a portion of these projects are required to conduct a DPIA under the GDPR.

Reference:

Guidelines on Data Protection Impact Assessment (DPIA) and determining whether the processing is "likely to result in a high risk" for the purposes of Regulation 2016/679-DATA PROTECTION WORKING PARTY- https://ec.europa.eu/newsroom/article29/items/611236