Data Protection Impact Assessments (DPIAs)

Data Protection Impact Assessments (DPIAs)

Data Protection Impact Assessments can be very beneficial to organizations that need to be GDPR compliant. A Data Protection Impact Assessment (DPIA) is a GDPR-required process that helps to identify and then mitigate the risks of any new project that an organization might begin. 

In this guide, we’ll explore what a DPIA is, how to create one, and what you need to know about how to complete one.

What is a DPIA?

A Data Protection Impact Assessment (also known as a DPIA) is, in essence, a procedure designed to detect and reduce risks related to the processing of personal data. The treatment of personal data contrary to the intentions of the subject is one example of how personal data may be at risk from unauthorized access by internal or external actors. When a particular processing activity poses a significant danger to a person's rights and freedoms, it is necessary to do this evaluation.

This evaluation shouldn't be done once, but rather whenever there is a "change of the risk represented by processing activities" or, to be extra careful, whenever a new project that requires the processing of personal data is launched, regardless of any indication of high risk. Furthermore, this exercise should not only contain a risk assessment, but also a list of actions that the business will take to address any of the hazards identified.

When Do You Need a DPIA?

A DPIA is required under Article 35 of the GDPR when a type of processing, in particular using new technologies and taking into account the nature, scope, context, and purposes of the processing, is “likely to result in a high risk” to natural persons' rights and freedoms. The controller must conduct an assessment of the impact of the proposed processing operations on the protection of personal data prior to the processing.

A DPIA is required for any project that began on or after May 25, 2018. This also holds true for initiatives that were initiated before that time but have undergone changes that might now pose new privacy hazards. 

In essence, a DPIA will be required for all data processing operations that pose a danger to the rights and liberties of EU people. Large-scale processing of personal data, assessing people personally, and surveillance of public spaces are a few examples of such actions. 

If a company processes data on behalf of the public or is compelled by law to do so, it is not obligated to complete a DPIA. Additional information regarding the circumstances that call for a DPIA is provided below:

• Profiling - Any processing activities that evaluate or score an individual based on their performance at their jobs, their physical or mental health, race, gender, economic status, and other factors like the data subject's personal preferences or behavior are prohibited in order to protect data subjects from unfair discrimination.
• Physical surveillance - DPIAs must be carried out by organizations that employ surveillance technology to keep an eye on data subjects in public spaces.
• Large-scale data processing - This refers to the volume of processed data, the project's geographic extent, and the length of the processing operations.
• Decision-making that is automated - As mentioned above, all data processing operations that include automated decision-making need to be carefully examined to make sure they don't lead to unjust discrimination against a person.
• The processing of biometric information - Utilizing the Internet of things (IoT) devices as well as fingerprint scanners and facial recognition software are examples of processing biometric data.
• Data transfer beyond the EU - This occurs when a company extends its services to a nation outside the EU.
• Limiting a data subject's access to services - In some cases, a data subject's access to a service may be restricted due to information that the organization has gathered on their behalf. A DPIA must be conducted in these conditions.
• Data processing of information related to vulnerable people - This includes the processing of data from those who are at risk, such as minors, people with mental illnesses, and anybody else who might be unable to object to the processing of their data.
• Merging of data groups - When processing data that involves combining or comparing numerous pieces of information gathered for various purposes, an organization is required to do a DPIA.

How Can an Organization Conduct a DPIA?

Organizations will need to collaborate closely with their Data Protection Officer and any other important project stakeholders throughout the evaluation process in order to comply with the GDPR's standards. Before any data processing operations start, a DPIA should be conducted early on in the project. The GDPR provides for some freedom in selecting the DPIA's procedure and orchestration in order to best suit an organization's present practices as well as industry or business-specific needs. Below is a description of the usual procedure for doing a DPI.

1. Decide Whether a DPIA Is Necessary

Use the GDPR's regulations to help you decide whether a DPIA is necessary. If there is any uncertainty, It is still a good idea to do the evaluation to make sure compliance is upheld.

2. Describe the Steps Involved in Processing, and the Intended Outcomes

The initial stage in this procedure is to specify and record the nature of the data's scope as well as how it is being processed throughout the project. You can achieve this by responding to inquiries like the ones below:

• Where are the data coming from?
• Is this information kept by any outside parties?
• Do any high-risk data categories come into play?
• Where are operations involving data processing occurring?
• What are the criteria for data retention?
• How many data subjects are impacted and how much data is being collected?
• How is information gathered and used?
• How and where are data stored?

The following stage is to explain how the project's goals connect to the aim of the data processing operations. Describe each data processing activity in detail, along with how it will affect consumers and how it will be used for the project.

3. Assess Overall Necessity

Justifying the data processing operations that are taking place in relation to what is truly needed for the project's goals and outcomes is a crucial component of the DPIA. Start off by responding to the following questions:

• Have comparable procedures been used in earlier projects of a similar nature?
• Have they been found to have security flaws?
• Is data processing required to carry out the project's goals?
• In what ways are consumer rights upheld?
• Is it possible to limit how customer data is used?
• Is the collection of this information authorized by law?
• Are the right consent procedures in place?
• Are there any susceptible data subjects?

4. Consult the Appropriate Parties

Throughout the DPIA creation process, be sure to consult key individuals to ensure everyone involved is on the same page:

• The project's possible hazards and processing operations should be discussed with the data protection officer, who should also offer input.
• Any project stakeholders should thoroughly comprehend the scope and requirement of data processing operations and develop and recommend appropriate methods to mitigate any risks that may have been found.
• All Data Subjects or their representatives in order to get input on their opinions of the data processing operations taking place throughout the project and ensure the legality of the data processing operations.

Conclusion

Building a DPIA doesn’t have to be difficult. At Accountable HQ, we offer a DPIA that is easy to customize and use to become and remain GDPR compliant. Take a look at our policy management section to learn more about how we can help you build a DPIA that suits your unique needs.