Data Protection Impact Assessment, also known as a DPIA, is a mandatory requirement according to Article 35 of the GDPR. The article gives guidance as to when to perform a DPIA stating:
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
What should a DPIA contain and how to perform one?
According to Article 35 of the GDPR, a DPIA should contain at least four essential aspects. The first is a systematic description of the processing operations and the purposes of the processing. It should also assess the necessity and proportionality of the processing in relation to the purposes. The risks to the rights and freedoms of the data subjects must also be included, as well as the measures taken to address the risks. These measures can include safeguards, security measures and other mechanisms to protect personal data.
Don’t forget the DPIA has to be performed before the processing begins. The controller has the responsibility to ensure this requirement is satisfied. Consultation with a DPO (Data Protection Officer) is also advised, but not mandatory. Another important aspect is to look at compliance with any codes of conduct when performing the DPIA.
When should you perform a DPIA?
Again Article 35 outlines some situations in which a DPIA is mandatory. Such a case is when you are processing large scale of special categories of data, or any personal data that relates to criminal convictions. Also, if the processing is based on automated decision making, including profiling a DPIA is necessary. The last case outlined in Article 35 is when there is systematic monitoring of a publicly accessible area on a large scale.
However, if the processing is not likely to result in high risks to the rights and freedoms of individuals or if the processing has already been authorized for a very similar operations you don’t need a DPIA. Same goes when you have legal basis in the EU or Member State law. The Data Protection Impact Assessment will only apply to the processing operations started after 25th May 2018. Start by answering some simple questions:
- what data do we have?
- do we really need all this data?
- how are we using the data we have?
- what risks arise from processing this data?
- how can we lower these risks?
Article 29 Working Party Guidelines on DPIA
The full release of guidelines by the WP29 can be found here.
Lets discuss a couple of examples for data processing, as they appear in the guidelines offered by the WP29. Take an online magazine that uses a mailing list to send out a daily digest to its readers. While this can be considered data processing, it does not require a DPIA as no high risks are involved. Or take an e-commerce website that displays ads based on limited profiling of past purchases. It is clearly a case of profiling, but it is not systematic or extensive. Hence, a DPIA is not required.
So, when is it required? In many cases, actually. For example, a hospital since it processes health data and possibly even genetic data, it will need a DPIA. Companies that monitor their employees, including their work stations need to perform an impact assessment since they are processing data of vulnerable data subjects. If you gather social media profiles as data to be used by private companies, you will again need a DPIA. In this case processing is considered evaluation and it will fall under the category of large scale processing of data. Other situations when you need a DPIA include international data transfers, the use of innovative technologies like a combination of finger prints and facial recognition. And these are only a few example. More can be found in the WP29 guidelines.
The main purpose of a DPIA is to assess any risks that might come up from the data processing and address them. Those familiar with ISO 27001, those companies that have implemented the standard will find that the DPIA is a similar process to the risk assessment required there. If in your ISO 27001 you identified personal data as an asset for your company and have addressed all risks around it, you are very close with complying with the DPIA requirement. The WP29 guidelines shed some light on how to perform an impact assessment. They can help you understand what exactly “high risk” means under the GDPR, something that will prove extremely useful when performing an impact assessment. If at the end, you are unsure whether you need a DPIA or not, it probably means you should perform it, just to stay on the safe side.
Photo credit: Foter.com