GDPR Data Protection Impact Assessments: 3 Key Insights You Should Know
Data Protection Impact Assessments (DPIAs) were one of several new requirements that the EU General Data Protection Regulation (GDPR) introduced for organizations to comply with. Data controllers are required to carry out a DPIA in the planning stages of a project when said project is likely to result in a high risk to the rights and freedoms of the data subject. Performing a DPIA at the outset of a project also helps to demonstrate compliance with Article 25 of the GDPR which states that data protection must be considered in the initial design stages of a project to fulfill the concept of ‘Privacy by Design’.
Read the blog: The Ultimate Guide to the GDPR
Conducting a DPIA can have many benefits for the data controller including the mitigation of business and data protection risks and highlighting gaps in a privacy program. It can also help to demonstrate compliance with Article 35 of the GDPR, avoid the risk of potential monetary penalties for non-compliance, and help to build consumer trust by ensuring the correct protections are in place for high-risk processing of personal data such as processing special categories of personal data.
So, what exactly is a DPIA? When should data controllers conduct a DPIA? And, what other requirements should be considered when performing a DPIA?
What is a Data Protection Impact Assessment?
A DPIA is a risk assessment that is required to be carried out by the data controller under Article 35 of the GDPR. A DPIA evaluates the impact of processing activities where such activities are likely to result in a high risk to the rights and freedoms of the data subject.
Automate the DPIA Process: OneTrust Assessment Automation
The GDPR highlights several elements of data processing activities that must be considered within the DPIA in order to measure the potential impact on the data subject as well as determining the appropriate protection of personal data that can be put in place.
In cases where a DPIA finds that processing activities are likely to cause a high risk to the data subject in the absence of measures taken, data controllers are required to consult with the relevant supervisory authority.
When Should a Data Protection Impact Assessment Be Conducted?
At a high level, a DPIA should be conducted during the planning stages of any new project that may significantly infringe on the rights and freedoms of individuals. Data controllers may request that a data processor perform a DPIA on their behalf.
Article 35(3) also outlines some specific scenarios in which a DPIA should be carried out, these include:
- Processing operations that extensively rely on automated decision making and profiling that have a legal or similarly significant effect on individuals.
- Processing sensitive data on a large scale
- Systematic monitoring of a public space
Article 35(4) and Article 35(5) also provide Supervisory Authorities of European Union Member States the ability to establish lists of certain types of processing activities that do and do not require a DPIA. These lists should be made public as well as shared with the European Data Protection Board (EDPB). For example, the Irish Data Protection Commission (DPC) determined that the following processing activities, among others, require the data controller to perform a DPIA:
- Profiling vulnerable persons including children to target marketing or online services at such persons
- Systematically monitoring, tracking, or observing individuals’ location or behavior
- Combining, linking, or cross-referencing separate datasets where such linking significantly contributes to or is used for profiling or behavioral analysis of individuals
In addition, Article 35(1) states that in scenarios where several similar processing activities are concerned, a single DPIA would be sufficient, provided the identified risks associated with each set of processing activities are similar.
Read the blog: The Ultimate Guide to GDPR Compliance
Data Protection Impact Assessment Guidelines: What should be included in a DPIA?
It is just as important for data controllers to understand what they need to include in a DPIA as it is to understand when to conduct one. Article 35(7) of the GDPR highlights that the DPIA should contain at a minimum:
- A description of the processing operations including types of data, the source of the data, and applicable retention periods.
- The purposes of the processing, including the legitimate interest pursued by the data controller, if applicable
- An assessment of the necessity and proportionality of the processing in relation to the purposes
- An assessment of the risks to the rights and freedoms of data subjects
- The measures in place to address the risks, including:
- Safeguards
- Security measures
- Mechanisms
Businesses should consult with their Data Protection Officer (DPO) when conducting a DPIA to ensure that privacy risks associated with high-risk activities, such as the use of new technologies, are mitigated at the outset of a project plan.
While Article 35(7) of the GDPR details what should be included in a DPIA at a minimum, several Supervisory Authorities have issued guidance on the matter – including the Article 29 Working Party (WP29) (now the European Data Protection Board) that provides a common interpretation of Article 35 for data controllers to consult.
Other supervisory authorities have released guidelines and tools relating to performing DPIAs. For example, the French data protection authority (CNIL) published a DPIA toolkit which includes guidance, software, and case studies. The Irish DPC has also released comprehensive information relating to all aspects of performing a DPIA for data controllers to refer to. Additionally, the UK Information Commissioner’s Office (ICO) has published its own detailed guidance on DPIAs.
Aside from the guidance of Supervisory Authorities across Europe, data controllers can also rely on software such as OneTrust Assessment Automation which can help to operationalize DPIAs and Privacy Impact Assessments (PIAs) with custom or pre-built DPIA templates, third party collaboration, and automation.