GDPR: An organisation’s guide to Data Protection Impact Assessments

August 6, 2018

GDPR: An organisation’s guide to Data Protection Impact Assessments

Up until the enforcement of the GDPR, individuals’ rights have not always been at the forefront of concern when organisations process their data. Moreover, the protection of individuals’ rights has not always been considered when implementing new technologies and processes.

A specific GDPR requirement is for organisations to carry out Data Protection Impact Assessments (DPIAs) prior to processing individuals’ data (when there’s a high risk to individuals’ rights). This aspect of the GDPR aims to ensure that the protection of individuals’ rights is always at the forefront of data processing and any technology or processing advancements.

What is a DPIA

The Data Protection Impact Assessment (DPIA), also referred to as Privacy Impact Assessment (PIA) is a systematic process to assess the privacy risks to individuals when processing (collecting, using and disclosing) their personal data.

Article 35 of the GDPR outlines the requirement for it. Fundamentally, it is a way to identify and reduce the privacy risks to individuals that new technologies, projects, procedures and processes may trigger.

A DPIA ensures security by design, privacy by design and encourages data protection implementation by default whenever processing involves personal information.

Why and When a DPIA is needed

The DPIA is compulsory when:

“type of processing, in particular, using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operation on the protection of personal data”.

This element of the GDPR is the responsibility of the data controller and forms part of ‘accountability and privacy by design’. It must be carried out prior to commencing processing and any necessary measures must be implemented to address any risks posed before processing can start.

 The GDPR describes the circumstances where high risk may be apparent, this is when a DPIA is likely required:

  1. Where processing results in a systematic and extensive evaluation of personal aspects relating to natural persons.

(institutions who conduct automated loan approvals, data analytics providers, online marketing companies and facilities)

  1. Where there’s processing on a large scale of sensitive personal data and personal data relating to criminal convictions and offences.

(healthcare providers, insurance companies)

  1. Where there’s large-scale systematic monitoring of publicly accessible areas

(the use of CCTV in public areas, leisure areas, restaurants and shopping centres etc.)

Put simply, if an organisation is processing personal data that is likely to result in high risk to the data subject’s rights, a DPIA must be carried out prior to commencing the processing of their personal data.

It’s important to note that the DPIA is NOT an assessment of the impact of processing on anything else other than the data subject’s rights.

How to undertake a DPIA

There isn’t a specific DPIA framework that all organisations must follow. So, at first glance, some may find the process challenging to understand and address. The GDPR does provide a minimum standard for carrying out a DPIA, but organisations should design a framework that works for them and covers all the aspects required by the GDPR.

A successful DPIA should ascertain the following outcomes:

  1. Whether the data processing complies with legal and regulatory compliance requirements
  2. The risks and impacts of data processing (in all its forms)
  3. Safeguards and processes for handling information to alleviate any potential privacy risks
  4. Choices and approaches for individuals to provide consent for the processing of their personally identifiable information

Following a systematic process can help organisations tackle the DPIA in a comprehensive manner and avoid missing out any important aspects of the assessment.

An adaptable DPIA framework to get the ball rolling

 This DPIA framework breaks the process into three stages, making it easier to tackle.

  1. Preparation
  2. Evaluation
  3. Safeguard, Document and Report.

Stage 1. Preparation

It’s important to spend time preparing, all the planning will be worthwhile in the later stage of the process.

 In preparation, the following should be addressed:

  • Assess the process and decide whether there is a legal requirement to carry out the DPIA. A DPIA may not always be obligatory, but that does not mean the assessment would not be beneficial to undertake anyway. The requirement for it will depend on the type of data being processed and the risk the processing has on the rights of the individuals.
  • If the assessment concludes that a DPIA is required, the next step is to outline the goals and scope of the DPIA.
  • When building the scope, assure compliance is upheld, safeguards are identified and transparency is achieved for the processing system.
  • The span of the DPIA must be well defined. An overview of the entire process is required, including a description of its purpose, details on the type of data, the format of the data, how and where the data is stored and in what format and how it is transferred as well as the IT systems and interfaces used. Furthermore, procedures, processes and functional roles utilised must be outlined.
  • All Individuals involved and concerned with the processing must be identified (All those affected by the use of the data: manufactures, operators, processors, controllers, third parties and individuals).
  • Legal requirements need to be recognised and sector-specific legal requirements may also apply.
  • A report must be created to document the results of the preparation stage. 

Stage 2. Evaluation

This stage involves identifying the protection objectives, identifying the threats, identifying the evaluation criteria and benchmarks and evaluating the risk.

2.1 Identify the Protection Objectives

The risk to individuals needs to be disclosed so that appropriate remedies can be implemented to minimise them. Furthermore, the right balance needs to be achieved and this will be unique to the organisation and the type of data processed and the systems used.

Availability, integrity and confidentiality are three notable pillars of security that form part of 6 Protection Objectives to reduce the risks.

An organisation should aim to achieve these objectives whenever processing personal data to ensure its protection and proper handling. The DPIA must cover these and demonstrate how the organisation will meet them.

  1. Availability (to have data accessible and comprehensible when required)
  2. Integrity (data must be reliable-not tampered with or changed and must remain accurate)
  3. Confidentiality (the need to keep data private)
  4. Not linkable (data must not be linked across different domains or used for purposes other than those intended for the processing)
  5. Transparency (the data subject must be completely aware of how their data is being processed and must give consent)
  6. The ability for intervention by the persons concerned (the data subject’s control over the data being processed. Can it be made available on request, deleted, blocked or rectified etc.)

2.2 Identify the threats

The DPIA must assess the threats from the perspective of the rights of the data subject and not the threat to the organisation. The threats to the data subject must be identified (type and motive) so that measures can be actioned to reduce the risk to the data subject’s rights.

2.3 Identifying the evaluation criteria and benchmarks

Identifying evaluation criteria and benchmarks can help to clarify the potential risk the processing may have on the data subject’s rights so that appropriate measures can be put in place accordingly.

The potential risk could be gauged as follows:

Normal Risk: When no scenarios exist in which the nature of the processing shows potential for a high intensity of interference.

High Risk: When special categories of personal data (according to GDPR) are processed and thus a high protection standard is required by law and/or the data subjects depend on the services/decisions of the organisation.

Very High Risk: When personal data requiring a high-protection standard are processed and the data subject depends on the decisions/services of the organisation. Additionally, there are risks posed by insufficient data security or changes of purposes of processing which the data subject is unable to become aware of.

2.4 Evaluate risk

To evaluate the risk, the controller should compare the predicted measures of risk with those identified during the assessment.

If nonconformities are found, a further assessment should be undertaken to see their impact on the protection objectives (outlined above) and the risk to the data subject.

Any insufficiencies in data protection must be addressed before processing can commence.

Stage 3. Safeguard, document and report

3.1 Identify and implement appropriate safeguards

The DPIA must describe the measures to remedy the identified risks and must include all the safeguards and measures to protect the data.

The plan must be unambiguously detailed and include:

  • Which safeguards to be taken
  • Those responsible for implementing the safeguards
  • The resources available to implement the safeguards
  • The time frame for implementation of the safeguards
  • The criteria to measure the result of safeguards
  • Detail of who will evaluate and document the criteria

3.2 Document and report on the evaluation of results

To achieve the envisioned outcome of the DPIA it is essential to meticulously document the assessment and ensure the findings report is publicly available. The report should be standardised, so easily understood by all: by authorities, establishments as well as the public.

3.3Auditing of evaluation results

The DPIA report should be evaluated by an independent third party to ensure it has been properly conducted.

3.4 Review and continuity

The DPIA is a linear process and should be reviewed and repeated when necessary. If risks change or develop in severity the safeguards will need to be adapted to reflect the new circumstances and to meet the new requirements.

DPIAs should be seen as more than just a GDPR requirement, they can be beneficial in many ways…

The DPIA process can be tricky to get one’s head around and may seem like yet another inconvenience but this obligatory process can be a beneficial tool for organisations for multiple reasons.

Primarily the DPIA is to reduce the risk of harm to individuals through the misuse of their personal information, but it can also help organisations to discover and rectify issues early on in procedures. Additionally, it helps with designing more efficient and effective processes for handling personal data and encourages the spread of data privacy and data protection awareness throughout the organisation.

DPIAs can help organisations to redirect their focus from business procedures and business outcomes alone to the individual’s privacy and security. Ultimately encouraging the exploration of further aspects and scenarios and alternative measures that will aid in delivering more efficient and secure processes, where the risk of harm to individuals is also reduced. It’s a win-win situation!