A Data Protection Impact Assessment (DPIA) is a process that systematically identifies and minimizes risks related to personal data processing. DPIA should help you demonstrate your compliance with data protection obligations and your accountability obligations.
EU Guidelines define DPIA as:
“… a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them.”
Organizations usually conduct a DPIA once they engage in a new data processing activity, or modify an existing processing activity (e.g. when new technology is deployed).
DPIA is a formal procedure that aims to record and evaluate an activity specifically related to the processing of personal data. DPIA assesses the level of a risk considering both the severity and likelihood of impact on individuals.
Implementation of a Data Protection Impact Assessment (DPIA) is an important aspect of the General Data Protection Regulation (GDPR) accountability obligations of an organization.
Under the GDPR Policy Template , DPIA is a legal requirement if a data controller envisages a processing activity that is “likely to result in a high risk to the rights and freedoms of natural persons” (GDPR, Article 35).
“Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
If in such case, the controller fails to undertake a DPIA, they risk administrative fine in amount up to 2% of the organization’s annual global turnover, or €10 million – whichever of the two is higher.
Now that we have your attention, we should also say that DPIA is not something to be afraid of.
On the contrary; a DPIA can bring benefits to your organization, such that even if you are not required to undertake it, it is highly recommended to do so.
For example, when you are about to introduce a new product or a service, you might be considering the DPIA, as it will greatly help you adhere to the core principles of personal data subject request management processing.
This doesn’t necessarily mean that conducting a DPIA is an easy exercise. One of the aggravating factors is the fact that it is not a one-size-fits-all process that would be easy to tailor for every type of organization.
DPIA is quite a comprehensive exercise, and it should include a risk assessment process, accompanied by a list of measures an organization will take to reduce the risks.
So when should a data protection impact assessment be conducted?
As we mentioned before, you should conduct a DPIA before you begin any type of processing that is likely to result in a high risk.
This means you need to screen for risk factors that point to the potentially serious impact on individuals.
According to the GDPR cookie consent plugin, you must conduct a DPIA if you plan to:
Use systematic and extensive profiling with significant effects;
Process special category or criminal offence data on a large scale; or
Systematically monitor publicly accessible places on a large scale.
Among the very first questions you as a data controller should ask are:
Why do you want to process personal data?
Is there any legitimate interest for processing?
What will be the result of the processing?
What will you achieve with the processing?
This should give you a clear picture of what might affect expectations. Some questions to ask will include:
What is the source of the data which you want to process?
How does your relationship with data subjects look like?
If you have any experience in specific types of processing that you are about to repeat, make sure to highlight it too. Furthermore, GDPR Training assures various data subjects’ rights, so you need to specify if your data subjects have control over the data you collect and process.
This is the part where you have to be clear about how you plan to use the data. Some questions to help you might be:
Who are the people with access to the data?
Who do we share the data with?
How is the data collected and stored?
What are the defined retention periods?
What security measures have you undertaken to protect the data?
How do you use the data?
Here you will consider what the processing of personal data covers, for example:
Duration of the processing
The sensitivity of the personal data
Frequency and extent of the processing
The number of data subjects whose personal data are involved in the processing
Make sure to consult all parties involved, if necessary, especially data processors.
Although it is a data controller’s responsibility to conduct DPIAs, GDPR cookie consent, GDPR stipulates that data processors must “assist the controller in ensuring compliance” (GDPR, Article 28).