What is a data protection impact assessment (DPIA) under the General Data Protection Regulation (GDPR)?
When do you need a DPIA?
How do you conduct a DPIA?
Are there templates you can use?
In this article, we will break down the notion of data protection assessment it detail so you know all there is to know about it.
Are you ready?
Let’s get started!!
Table of Contents
What is a data protection impact assessment?
A data protection impact assessment, or DPIA for short, is an assessment performed by organizations intended to investigate, recognize and mitigate potential risks in processing data subjects’ personal data.
Particularly, the DPIA is a mandatory requirement under GDPR whenever you have a project where you need to process personal data that may likely involve “a high risk” to the individuals concerned.
The privacy impact assessment does not need to cover all possible risks a data subject may be exposed to or the risks that you’ve mitigated.
The DPIA should consider the risks that a data subject may objectively be exposed to and such exposure is likely to represent a high and impactful risk on the persons concerned.
Let’s look at the legal definition of data protection impact assessment under GDPR.
What is the purpose of a data protection impact assessment?
The purpose of a data protection impact assessment is for a company to understand its data processing operations and risks to data subjects.
Conducting a DPIA allows companies to demonstrate their compliance with the General Data Protection Regulation requirements when processing personal data.
The DPIA provides a means and opportunity to a company to define and implement safeguards, technical and organizational measures adequate enough to protect data subjects before they process their personal data.
Another underlying purpose of the DPIA is to allow companies to incorporate the principle of “data protection by design” within their internal processes, systems and operations.
DPIA legal definition (Article 35 GDPR)
Article 35 GDPR establishes the legal requirement to conduct a DPIA, it states:
“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.”
The key aspects of this definition are:
- A type of processing
- High risk
- Is likely
Let’s look at each component.
A type of processing
GDPR says that a company will need to conduct a DPIA when “a type of processing” can result in a likely risk to the data subjects.
A type of processing can be any type of processing operation.
Evidently, fundamentally, the data collection, processing and use must be based on a lawful basis.
When a company has a lawful purpose in processing the personal data, GDPR requires that they consider the following parameters:
- The nature of the processing activity
- The scope of the processing activity
- The context of the processing activity
- The purpose of the processing activity
GDPR emphasizes the use of “new technologies”.
That’s an interesting concept as it requires companies to think about their processing operations whenever they develop new technologies, applications or systems.
Innovative companies and those developing state-of-the-art applications, software and applications should consider whether or not they must perform a DPIA in relation to the use of their new technologies.
The second element we need to consider is the element of “high risk”.
If the data processing operations will result in a likely “high risk” to the data subjects, then an organization has a duty to conduct a data protection impact assessment.
What are the risks to the data subjects?
The answer to that question may be different for each data processing operation.
Recital 85 GDPR gives us guidance as to what potential risks and consequences on data subjects that organizations should consider:
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
The risk can be physical, material or non-material such as:
- Loss of control over personal data
- Limitation of data subjects’ rights
- Identify theft
- Financial loss
- Unauthorized reversal of pseudonymization
- Damage to reputation
- Loss of confidentiality of personal data
- Loss of confidentiality of personal data protected by professional secrecy
- Other economic disadvantages
- Other social disadvantages
Companies need to perform a holistic review of the potential risk to the data subjects.
Recital 76 GDPR further states that:
“Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.”
The risk assessment should consider objective risk factors impacting data subjects.
The third component that needs to be present triggering a mandatory DPIA is that the high risk to the data subject must be “likely”.
Recital 76 GDPR states:
“The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing.”
The likelihood of the risk to the subject must be evaluated based on the nature, scope, context and purpose of the data processing operations.
There are no cookie-cutter answers as to what is likely and what is not likely.
The assessment must take into consideration the unique aspects of the company’s project and data processing needs.
Why is DPIA important?
DPIA’s are important for ensuring that companies process personal data while being mindful of the data subject.
GDPR does not want organizations to mindlessly collect personal data on individuals and process them in whatever way they feel is commercially viable.
The goal is to balance a company’s legitimate needs with the protection of the data subjects’ rights and freedoms.
The DPIA provides an opportunity for a company to reflect on the data processing operations, ponder on its needs, determine if it has adopted proper technical and organizational measures to protect data and think of how the data subjects can be affected.
GDPR’s DPIA obligation goes to the heart of the GDPR’s principle of accountability and governance.
When is a data protection impact assessment required?
When should a data protection impact assessment DPIA be conducted?
Before high-risk data processing operations begin
The DPIA assessment must be done before the high-risk data processing activities being.
Companies must remain vigilant.
Even though a company has not conducted a DPIA to assess the level of risk to the data subjects, it must screen the data processing activities that may require a DPIA “before” it processes the data.
GDPR defines three particular instances when a data protection impact assessment are mandatory in all circumstances:
- Where there is systematic and extensive profiling
- When there is a large scale processing of special categories of data
- When there is a large scale monitoring of publicly accessible places
Let’s look at each quickly.
Systematic and extensive profiling
A company intending to systematically and extensively conduct profiling operations with important effects on the data subjects must perform a privacy impact assessment before such operations begin.
Article 35(3)(a) GDPR states that a DPIA is required when:
“a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person”
A company evaluating “personal aspects” related to a natural person may require to perform a DPIA.
A personal aspect can be interests, behaviour, patterns or any other personal characteristic of the person.
Processing special categories of data on large scale
Any large scale data processing operations of special categories of personal data will mandatorily require a DPIA under GDPR.
Article 35(3)(b) GDPR states that a DPIA is required when:
“processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10”
Systematically monitoring public places on large scale
When monitoring public places on a large scale, due to the potential violation of privacy and high risk to individuals, GDPR requires that a DPIA be performed.
Article 35(3)(c) GDPR states that a DPIA is required when:
“a systematic monitoring of a publicly accessible area on a large scale”
Guidelines on when data protection impact assessment is required
In 2017, the Article 29 Working Party issued its guidelines on data protection and impact assessment (DPIA) to determine whether data processing is likely to result in a high risk to data subjects.
Working Party’s guidelines on DPIA
Although Working Party’s guidelines were issued prior to the adoption of GDPR, the European Data Protection Board, the entity replacing the Article 29 Working Party, has endorsed these guidelines.
The EDPB guidelines on data protection impact assessment recommend that organizations consider nine criteria to evaluate whether or not their data processing operations will result in a high risk to data subjects.
In the following circumstances, you may have a high risk when:
- You are evaluating or scoring the data subject’s performance, preferences, behaviour
- There are automated-decision making with legal or significant effects on the data subject
- There is systematic monitoring of the data subjects
- There is sensitive data or data of highly personal in nature being used
- Data is being processed on a large scale
- You are combining datasets or matching datasets
- You are using data concerning vulnerable data subjects
- You are using new technologies or applying new technological solutions
- When the data processing can prevent the data subject from exercising his or her rights
The guidelines state that if a company believes that its data processing operations meet at least two of the nine criteria, a DPIA will need to be carried out.
In some cases, merely one criterion can result in a high risk to individuals.
Companies should carefully assess their operations.
Information Commissioner’s Office guidelines on DPIA
The Information Commission’s Office in the UK has also published its guidelines with respect to when to conduct a DPIA.
According to ICO, a company may need to do a DPIA when they:
- “use innovative technology (in combination with any of the criteria from the European guidelines);
- use profiling or special category data to decide on access to services;
- profile individuals on a large scale;
- process biometric data (in combination with any of the criteria from the European guidelines);
- process genetic data (in combination with any of the criteria from the European guidelines);
- match data or combine datasets from different sources;
- collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’) (in combination with any of the criteria from the European guidelines);
- track individuals’ location or behaviour (in combination with any of the criteria from the European guidelines);
- profile children or target marketing or online services at them; or
- process data that might endanger the individual’s physical health or safety in the event of a security breach.”
How to conduct a data protection impact assessment?
Now that you know when you need a DPIA, how do you conduct a data protection impact assessment?
The following outlines how a company should conduct its data protection impact assessment:
- Identify data processing operations that may require a DPIA
- Describe the nature, scope, context and purpose of the data processing operation
- Consult with your DPO or relevant stakeholders
- Determine if the processing is necessary to achieve your purpose and is there proportionality
- Identify and evaluate the risks to data subjects
- Identify what measures you’ll take to mitigate the risks
- Finalize your decision and record the outcome in your company records
Identify the data processing operations
The first step is to identify the data processing operations that may require an impact assessment.
What type of data processing are you doing?
Are you using new technologies?
You should provide an overall explanation of what your project is all about and what type of processing you will need to do.
It is also important to document why you believe that a DPIA is necessary.
Describe the data processing operations
The next step is to describe the actual data processing operations.
What is the nature of the data processing operation?
What is the scope of your processing?
In what context are you collecting, processing and using the data subject’s personal information?
What is the purpose for which you are looking to process the data?
How will you use, store or delete the data?
What is the source of your data?
Do you need to share the data with others?
Consult with your DPO
Once you’ve identified the data processing operation and believe you may need a DPIA, you should consult with your data protection officer or the person accountable for your data privacy and protection compliance within your organization.
The objective is to exchange with a person having subject-matter expertise on GDPR so he or she can guide and advise the company on the intended data processing operations.
Necessity and proportionality
The necessity and proportionality principles require that organizations determine whether they really need to process the data in the manner contemplated and if the risk to the data subjects is proportional in the circumstances.
What is the lawful basis for your data processing?
Is this the only way you can achieve your purpose?
Can personal data be used in another way?
What measures do you have to ensure you collect only the data that you need (data minimization principle)?
What type of disclosure was given to the data subject?
How will you manage and safeguard the international transfer of data?
Identify risk to data subjects
Next, you need to identify the risks to the data subjects concerned.
What is the potential impact on the data subjects if you process their personal data the way you intend to?
Can the data subject suffer a material, non-material or physical harm?
What is the likelihood of the risk from an objective point of view?
What is the severity of the potential harm to the data subjects?
What do you consider to be the overall risk to the rights and freedoms of the data subjects?
Identify risk mitigation measures
Based on the risks identified, your company will then need to determine whether or not it can mitigate the risk.
Are there possible avenues or options to minimize the risk to the data subjects?
Can you eliminate the risk completely?
If you cannot eliminate the risk completely, can you mitigate it?
If there are residual risks that you cannot mitigate, how significant can that be on the data subject?
Do you believe that the mitigations and measures you can implement will allow you to safely process the personal data while protecting the data subjects?
Record your decision
The last step is to make a decision and record it.
The document in which you’ve gone through this process of evaluating your data processing activities, considering the risks to the data subjects and your overall decisions is your data protection impact assessment.
Who should conduct a DPIA?
A data protection impact assessment must be done by data controllers.
Since data controllers define the purpose and means of data collection, processing and use, they are responsible to ensure they comply with DPIA obligations in the event their data processing operations are likely to result in a “high risk” to data subjects.
Privacy impact assessment template
The ICO has published a sample data protection impact assessment template companies can use to record their DPIA processes and outcomes.
If you are required to perform a privacy impact assessment, it’s a good practice to use a DPIA template so you can standardize the manner how you assess the data processing operations and evaluate the risk to data subjects.
What is the content of a data protection impact assessment?
GDPR specifies the minimum amount of information that organizations must include in their data protection impact assessment.
Article 35(7) GDPR states that the assessment must include:
“(a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
(c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.”
It is important to keep the GDPR requirements in mind when preparing a data protection impact assessment.
Data protection impact assessment policy
Every company’s data processing circumstances are unique to their business.
One thing is for sure, if your organization is subject to GDPR, it must define a process for performing a data protection impact assessment as it may be necessary.
The best practice is to implement DPIA policies and procedures to ensure internal stakeholders, employees and representatives are aware of the GDPR requirements and can flag any data processing activity they believe may require a DPIA.
Privacy impact assessment checklist
The ICO has published a very good privacy impact assessment checklist allowing companies to assess their obligations under GDPR.
The DPIA checklist is divided into three categories:
- DPIA awareness checklist
- DPIA screening checklist
- DPIA process checklist
You can use this checklist to conduct your privacy impact assessments and manage your internal processes to raise internal awareness of your data processing obligations and screen for what may require a DPIA.
Penalties under GDPR
A company performing data processing operations exposing data subjects to high risk or where they are processing data in such a way that GDPR imposes a DPIA to be conducted could face important fines and sanctions should they fail to do so.
A data protection impact assessment, or DPIA for short, is a process by which an organization investigates, recognizes and mitigates potential risks in processing data subjects’ personal data.
GDPR does not want organizations to mindlessly collect personal data on individuals and process them in whatever way they feel is commercially viable.
The goal is to balance a company’s legitimate commercial needs with the protection of the data subjects’ rights and freedoms.
In this article, we’ve looked at the notion of DPIA in detail so:
- You know what is a DPIA
- How to conduct a DPIA
- When to conduct a DPIA
- Access useful DPIA checklists
- Access useful DPIA templates to conduct an assessment
- Know more about the topic
This document should be your go-to guide with respect to your data protection impact assessment or any form of privacy assessment needs.