GDPR Regulation clearly mandates the need for Data Protection Impact Assessment for any data processing activity that may potentially result in a high risk to the data subject’s rights and freedom. It is one of the most essential and specific processes mandated by the Regulation that effectively determines the risk exposure to sensitive data. The Assessment evaluates the risk exposure towards the data processing activities that could impact data subjects. The assessment helps identify and fix issues at the early stages of any project, thereby reducing the associated costs and damage to the business.
It takes into consideration the privacy-by-design approach when organizations introduce new data processing systems and technology. Failure to conduct DPIA can result in non-compliance to GDPR and also a possibility of a data breach. Further, this could also lead to administrative fines of up to 2% of your organization’s annual global turnover or €10 million whichever is greater. So, the organization must conduct DPIA annually. Elaborating on this, we have today shared some of the key steps for conducting DPIA activity. This can work as a checklist for organizations like you looking to understand the key DPIA process flow. But before that let us first understand the meaning of DPIA a little in detail.
What is a Data Protection Impact Assessment?
A Data Protection Impact Assessment which is also referred to as Privacy Impact Assessments is a mandatory requirement for organizations to comply with as under Article 35 of the GDPR Regulation. The article clearly states that data controllers or processors adopting new technology or systems or launching a new service that processes data that may impact the rights and freedoms of data subjects will need to conduct a thorough assessment of the impact.
This process is the key to ensuring organizations are adopting a privacy-by-design approach and taking measures to combat associate risks when launching a new product or service involving the processing of the data. The assessment forms the foundation of an organization’s data protection framework. The framework helps reduce the potential risks in processing data and brings it to an acceptable level of risk. Given below are some steps involved in the Data Protection Impact Assessment that you should be knowing when conducting the assessment.
Key Stages of Data Protection Impact Assessment
The process of conducting Data Protection Impact Assessment is not complicated as there is no standard format or strict template to follow. Any evaluation process backed with documental evidence that assesses risks counts as valid DPIA. Let us take a closer look at the steps involved in the DPIA to understand the process better.
Step 1: Identify the requirement of a DPIA
Organizations will have to first determine whether or not they are required to conduct Data Protection Impact Assessment. For this, it is recommended that the organization consults a Data Protection Officer and identify whether the data processing is on the list of types of processing that automatically require a DPIA. You can verify the same on their official website to see if your data processing requires the assessment to evaluate the impact.
Step 2: Describe the Processing of the Data
The organization will need to document details describing the processing of the Data. This would include providing details like the nature, purpose, and scope of processing data and also the context of processing the data.
Details to be included in the description
|
Nature of Processing |
Scope of the Processing Data |
Context of the Processing Data |
Purpose of the Processing Data |
|---|---|---|---|
|
How is the data collected? |
Nature of Personal data. |
Source of the data |
Legitimate interests, where relevant. |
|
How is the data stored? |
Volume and variety of personal data. |
Nature of your relationship with the individuals. |
The intended outcome for individuals. |
|
How is the data stored? |
Sensitivity of personal data. |
Level of control the individual holds over their data. |
Expected benefits for you or for society as a whole. |
|
How is the data used? |
Extent and frequency of the processing. |
Whether these individuals include children or other vulnerable people. |
|
|
Parties who have access to the data and with whom the data is shared. |
Duration of the processing data. |
How far individuals are likely to expect the processing. |
|
|
Retention period of the data in possession. |
Number of data subjects involved. |
Experience with this type of processing. |
|
|
Security measures for protecting the data. |
Geographical area covered. |
Any relevant advances in technology or security. |
|
|
Use of new technologies. |
Any current issues of public concern. |
||
|
Techniques of processing the data. |
Whether you comply with any UK GDPR codes of conduct or UK GDPR certification schemes. |
||
|
Screening criteria you flagged as likely high risk. |
Whether you have considered and complied with relevant codes of practices. |
(Source https://ico.org.uk/)
Step 3: Consider Consultation
While there is no specific requirement for this outlined in the regulation, but we strongly recommend that organizations take legal advice or consult with independent IT experts or compliance consultants about the DPIA assessment and related GDPR Regulatory requirements. It is also necessary that the organization takes into account consulting with all the relevant internal stakeholders, in particular anyone with responsibility for information security.
Step 4: Assess Necessity and Proportionality
Organizations should assess whether the processing of data is essential to the performance of the proposed task and must be accordingly justified with appropriate evidence for the same. Organizations will have to prove and also document evidence like –
- Lawful basis for the processing of data.
- Measures implemented to prevent function creep.
- Measures implemented to ensure data quality.
- Processes established to ensure data minimization.
- Processes established to provide personal information to individuals.
- Processes established to implement and support individuals' rights.
- Measures are implemented to ensure your processors comply.
- Safeguards in place for international transfers of data.
Step 5 Identify & Assess Risk
Organizations must conduct appropriate risk assessments to identify risk exposure that could potentially impact the rights and freedom of the data subject. They must also evaluate the potential harm or damage that could potentially result in an inability to exercise rights, access services or opportunities, loss of control over the use of personal data, discrimination, identity theft or fraud reputational damage, financial loss, physical harm, loss of confidentiality, re-identification of pseudonymized data or any other significant economic or social disadvantage. Organizations must evaluate and identify the source of risk and assess the potential impact of risk. The assessment should be objective in identifying the source, type, severity, and impact of risk.
Step 6 Identify Measures to Mitigate Risks
Once the risks are identified and classified based on their severity organizations must work towards mitigating the risks. This can be done by limiting the collection of data, reducing the scope of processing, reducing the retention period, additional security measures, training staff, anonymizing or pseudonymizing data where possible, having in place policies, procedures, processes, data-sharing agreements, offer individuals to opt-out where appropriate and implement new systems to help individuals exercise their right. Organizations must also consult with the appointed DPO to figure out ways to mitigate risk and confirm whether the established measures are appropriate.
Step 7 Sign Off and Record Outcomes of DPIA
Data Protection Impact Assessment must be seen as an opportunity for improving processes, rather than as a compliance exercise. After the DPIA assessment, the outcomes should be documented and integrated into the project to fix issues and ensure compliance. The DPIA report must include the following information:
- A detailed description of the project and its purpose.
- Purpose and scope of the data processing assessment.
- An assessment of data protection and consumer privacy risks.
- Describing measures to mitigate risks and comply with GDPR guidelines.
Although there is no legal requirement to publish DPIA yet it is seen as a best practice to publish DPIAs in full or in part. This fosters trust in the organization's process and also demonstrates accountability and transparency to all stakeholders. However, the organization must get approval from the parties involved including the Data Protection Officer or members of the management team, and further obtain sign-off from supervisory authorities, such as the Data Protection Commission. (Source https://ico.org.uk/)
Conclusion
GDPR Compliance is an ongoing process and so organizations will have to continually refer to the DPIA to integrate the outcomes from the assessment and also ensure that measures that have been implemented based on the assessment outcome are appropriately followed. Organizations must also verify whether the measures to mitigate the risks have been effectively implemented. Throughout this process, you should consult individuals and other stakeholders as needed. That said, organizations need to understand that the DPIA process is flexible and scalable and can be designed to fit the needs of the organization in terms of its existing approach to managing risks and projects as long as it addresses the key issues and elements. So, we also strongly recommend consulting stakeholders and DPO’s for implementing measures to address the issues identified in the DPIA assessment.