Data Protection Impact Assessment under the GDPR (DPIA)
DPIAs (data protection impact assessments) are now compulsory for certain high-risk processing activities under the GDPR (General Data Protection Regulation). DPIAs can help organisations identify, assess and mitigate privacy risks to data processing activities and are thus an inextricable component of any effective information security management system.
Conducting DPIAs helps organisations demonstrate compliance with the GDPR’s principle of accountability, showing that the relevant risks have been considered and the appropriate controls identified. Failure to comply with this requirement could attract fines of up to €10 million or 2% of an organisation’s annual global turnover – whichever is higher.
Speak to an expert
When is a DPIA needed?
The GDPR specifies three instances where performing a DPIA is compulsory. These are:
Systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling.
Processing of special category data (e.g. health data, race, political opinions etc.) on a large scale.
Systematic monitoring of a publicly accessible area on a large scale.
Additionally, the GDPR stipulates that each supervisory authority must produce further guidance as to which processing activities require a DPIA and which do not. The guidelines provided by the Belgian supervisory authority can be accessed here (in Dutch).
At what point should a DPIA be conducted?
An effective DPIA must be conducted in the early stages of any new project lifecycle. The DPIA’s findings and recommendations must be incorporated into the design of the processing operation to deliver embedded privacy.
This is known as ‘privacy by design’ and has the following benefits:
- Potential privacy issues and risks are identified at an early stage.
- Addressing problems early on is usually easier and cheaper.
- Increased organisational awareness of privacy and data protection.
- Reduced likelihood of a GDPR breach in your organisation.
- Data processing accounts for individuals rights, reducing the likelihood of a negative impact on data subjects.
Who should be involved in a DPIA?
Data controllers are responsible for ensuring the DPIA is carried out correctly.
DPIAs are complex and should be conducted by people with appropriate expertise and knowledge of the project in question – typically the project team. If your organisation lacks the requisite expertise and experience, you could consider bringing in external specialists to consult or to carry out the DPIA. Appropriate internal individuals will nevertheless need to be involved in this process to ensure that your organisation’s privacy requirements are complied with.
Any organisation with a designated DPO (data protection officer) must seek their DPO’s advice when conducting DPIAs. The advice and decisions taken should be recorded as part of the DPIA process.
What is ‘privacy by design’?
DPIAs are an integral part of taking a privacy–by-design approach.
Privacy by design means that privacy issues are considered and embedded into a programme’s design from an early stage.
Examples of personal data processing where a DPIA is likely to be required
- A hospital processing its patients’ genetic and health data.
- Archiving pseudonymised sensitive data from research projects or clinical trials.
- An organisation using an intelligent video analysis system to identify cars and automatically recognise registration plates.
- A company systematically monitoring its employees’ activities, including their workstations and Internet activity.
- Gathering public social media data for generating profiles.
- An institution creating a national credit rating or fraud database.
The EU’s Article 29 Working Party (WP29, now the European Data Protection Board) set out the criteria that organisations should consider when determining the risks posed by a processing operation. The more criteria your processing activity meets, the more likely it is to pose a high risk to individuals and the more likely it is that a DPIA is required Read the WP29 guidance on DPIAs >>
Key elements of a successful DPIA
There is no specification in the GDPR as to which DPIA process must be followed. This leaves organisations free to introduce a framework that complements their existing working practices. Find out more here >>
The key elements of a successful DPIA are:
- Identifying whether a DPIA is required;
- Defining the characteristics of the processing to enable the risks to be assessed;
- Identifying data protection and related risks;
- Identifying data protection solutions to reduce or eliminate the risks;
- Signing off on the outcomes of the DPIA; and
- Integrating data protection solutions into the project.
When initiating a DPIA as part of your organisation’s GDPR compliance project, it is important to ensure you have the right training, resources and expertise to fulfil the DPIA requirements. IT Governance Europe’s solutions can help you fill the gaps in your GDPR compliance project with consultancy, documentation toolkits and more.
Our solutions to help you conduct a DPIA
Receive a complete set of documentation templates that are easy to use, customisable and ensure GDPR compliance, including a Data Protection Impact Assessment (DPIA) Tool.
Speak to a GDPR advisor
Please contact our GDPR team for advice and guidance on our products and services.