A Data Protection Impact Assessment (DPIA) is an important to tool to ensure compliance with the General Data Protection Regulation (GDPR). Whilst a legal requirement in case of “High Risk” processing, many Data Controllers undertake a DPIA for any new data sharing and data processing operations and projects.
The current DPIA status quo is often a lengthy, paper-based, complicated, inefficient and non-standardised process. Lacking the benefit of smart working practices, DPOs and IG professionals across the country can all see the benefits a digital approach will bring.
Working with leading public sector solution designers, Looking Local, in collaboration with 12 public sector bodies from across local government, health, education – with engagement from the ICO, NHSX, IRMS and Information Sharing Gateway – this project will shape the future of the DPIA process.
The resulting co-designed solution will deliver a cloud based platform which will assess if there is a need for a DPIA to be completed, provide a standardised approach to the data capture and the ability to allocate tasks to various user roles to ensure timely, quality completion and sign off of a DPIA.
By developing a guided, accessible and national platform, it will be possible to equip individual service departments with the tools they need to assume responsibility for their own DPIA needs thus both upskilling and spreading the burden of completing DPIAs, as well as enabling collaborative, multi-partner DPIA management.
The usage of a DPIA is not new, nor is that of privacy impact assessments or PIAs. However, under the GDPR a Data Protection Impact Assessment or DPIA is mandatory in specific circumstances. These circumstances are broader than one might expect when just looking at the key stipulations regarding the need for a DPIA in the text of the GDPR itself.
Needless to say that in a data-driven economy personal data often are more valuable than other types of data, depending on the scope of the data processing purpose (scientific research, profiling and targeting, you name it) and thus deserve more protection. Simply put, a DPIA is mainly used when an organization is anything but sure about the impact on data subject request management of something it is planning to do and needs more thorough analysis and guidance, among others by inviting regulators, professionals and/or supervisory authorities. In the latest WP29 guidelines the role of the Chief Security Officer (CISO), for example is also strengthened.
One DPIA may be used to assess the impact of several data processing operations that are similar and are likely to lead to similar risks,
the advice of the data protection officer needs to be sought (when there is one of course, the designation of a data protection officer is only mandatory in specific cases),
when it is appropriate the views of data subjects themselves (or their representatives) will be asked regarding the planned data processing activities for which the DPIA is needed (keeping in mind other aspects than the data subject’s rights such as commercial, public and security aspects),
the supervisory authority will establish a list of the processing operations for which the DPIA is conducted and make it public.
GDPR Recital 89, which abolishes the general obligation to notify processing of personal data to supervisory authorities as was the case in Directive 95/46/EC but instead calls for more effective procedures and mechanisms, in particular for processing operations using new technologies,
GDPR Policy Template Recital 90 which refers to Recital 89 and says that in such cases a DPIA should be carried out and stipulates what a DPIA should contain,
GDPR Recital 91 that dives deeper in the necessity of a DPIA,
GDPR Recital 92 where the reasons for a data protection impact assessment to be broader than a single project are mentioned and
GDPR Recital 93 that tackles DPIAs for public authorities.
OK, so those are the main things about DPIA’s in the scope of Article 35 and the Recitals of the GDPR Training. Now those guidelines by the WP29 (Article 29 Working Party).
The Chief Information Security Officer (CISO), if appointed, as well as the DPO, could suggest that the controller carries out a DPIA on a specific processing operation, and should help the stakeholders on the methodology, help to evaluate the quality of the risk assessment and whether the residual risk is acceptable, and to develop knowledge specific to the data controller context.
As a reminder: we base ourselves on the version of the “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is likely to result in a high risk for the purposes of Regulation 2016/679″ as last revised and adopted on October 4, 2017.
First, the requirement to conduct a DPIA, when it needs to be conducted, must be understood against the background of the general obligation of the controller to appropriately manage risks as a result of personal data protection.
That risk, which the guideline defines as “a scenario describing an event and its consequences, estimated in terms of severity and likelihood” and the obligation of risk management ,cookie consent , which appropriately managing risks of course is (the guideline defines risk management as “the coordinated activities to direct and control an organization with regard to risk”), is essential and controllers cannot cover it under insurance policies. It’s the responsibility of the controller and that responsibility, as well as the ability to manage it, comes with duties to identify, analyze, estimate, evaluate, treat (e.g. mitigate) and review risks regularly.