Data Protection Impact Assessments and the GDPR

What is a DPIA (data protection impact assessments)?

DPIAs (data protection impact assessments) help organisations identify, assess and mitigate or minimise privacy risks to data processing activities. They are particularly important when introducing a new data processing process, system or technology.

DPIAs also help organisations demonstrate compliance with the GDPR’s accountability principle, providing evidence that appropriate measures have been taken.

Failure to adequately conduct a DPIA where appropriate is a breach of the GDPR and could lead to fines of up to 2% of an organisation’s annual global turnover or €10 million – whichever is greater.

Key elements of a successful DPIA

The GDPR does not specify which DPIA process must be followed, but instead allows organisations to introduce a framework that complements their existing working practices. The Data Protection Commission in Ireland has guidance on how and when to carry out a DPIA.

Key elements covered are:

• Identifying whether a DPIA is required;
• Describing the information flows;
• Identifying data protection and related risks;
• Identifying data protection solutions to reduce or eliminate the risks;
• Signing off on the outcomes of the DPIA; and
• Integrating data protection solutions into the project.

When initiating a DPIA as part of your organisation’s GDPR compliance project, it is important to identify whether you have the right training, resources and expertise to fulfil the DPIA requirements. IT Governance Europe’s solutions can help you fill the gaps in your GDPR compliance with consultancy and toolkit solutions.

Why conduct a DPIA?

Article 35 of the GDPR mandates a DPIA be conducted where data processing “is likely to result in a high risk to the rights and freedoms of natural persons”. The three primary conditions identified in the GDPR are:

1. If the processing constitutes a systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
2. When conducting large-scale processing of special categories of data or of personal data relating to criminal convictions and offences.
3. When there is systematic monitoring of a publicly accessible area on a large scale.

Why are DPIAs important?

DPIAs are a useful way of ensuring the efficiency – and cost-effectiveness – of the security measures you implement.

A risk-based approach ensures you do not waste resources attempting to mitigate threats that are unlikely to occur or will have little effect.

Not carrying out a DPIA when required could leave you open to enforcement action. This could include a fine of up to 2% of your organisation’s annual global turnover or €10 million – whichever is greater.

Regular DPIAs also support the GDPR’s accountability principle, helping your organisation prove its compliance with the Regulation.

When should a DPIA be conducted?

A DPIA should be conducted as early as possible within any new project lifecycle, so that its findings and recommendations can be incorporated into the design of the processing operation.

Known as ‘privacy by design’, the embedding of data privacy features in the design of projects can have the following benefits:

• Potential problems are identified at an early stage.
• Addressing problems early will often turn out easier and cheaper, as the identified solutions can be built into the project plan.
• Increased awareness of privacy and data protection across the organisation.
• Organisations will be less likely to breach the GDPR.
• Actions are less likely to be privacy intrusive and have a negative impact on individuals.

Who should be involved in a DPIA?

Data controllers are responsible for ensuring a DPIA is carried out correctly.

A DPIA should be conducted by people with appropriate expertise and knowledge of the project in question, normally the project team. If your organisation does not have staff with sufficient expertise and experience, you could consider bringing in external specialists to consult or to carry out a DPIA.

Under the GDPR, any organisation with a designated DPO (data protection officer) must seek the DPO’s advice. This advice, and the decisions taken, should be documented as a part of the DPIA process.

Examples of personal data processing where a DPIA is likely to be required

• A hospital processing its patients’ genetic and health data.
• Archiving pseudonymised sensitive data from research projects or clinical trials.
• An organisation using an intelligent video analysis system to single out cars and automatically recognise registration plates.
• A company systematically monitoring its employees’ activities, including their workstations and Internet activity.
• Gathering public social media data for generating profiles.
• An institution creating a national credit rating or fraud database.

The EU’s Article 29 Working Party (WP29), in its guidelines on DPIAs, sets out the criteria that organisations should consider when determining the risks posed by a processing operation.

The more criteria that a processing activity meets, the more likely it is to present a high risk to the rights and freedoms of individuals, and therefore to require a DPIA.