13 February 2020
The EU General Data Protection Regulation (GDPR) aims to improve data protection standards across the EU. To achieve this, it empowers individuals with rights over their personal data and provides a system of remedies for when things go wrong. But perhaps most importantly, it seeks to ensure that personal data is processed securely in the first place.
A Data Protection Impact Assessment (DPIA) (sometimes called a Privacy Impact Assessment) is a process designed to ensure that particularly high-risk data processing is carried out safely. It helps organizations identify risks and find solutions to any potential problems before they occur.
Let's look at how a DPIA can help your company ensure that a data processing project is GDPR-compliant.
For a full picture of what a DPIA is and how to carry it out, we have to look beyond the text of the GDPR itself.
The Working Party describes a DPIA as:
"a process designed to describe the processing, assess the necessity and proportionality of processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data."
So, a DPIA is a process that:
The Working Party also describes a DPIA as "a process for building and demonstrating compliance" with the GDPR.
It will help you apply the GDPR's principles and keep people's personal data safe. As part of your assessment, you'll produce a document which demonstrates that you've done the necessary work to carry out high-risk data processing.
Not every project will require a DPIA. But if your project does fit the requirements, a failure to carry out a DPIA could land you in serious trouble.
Article 35 (1) of the GDPR tell us when a DPIA is required:
"a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons"
In the rush to get products to market, companies can sometimes fail to properly consider their privacy implications. The GDPR suggests that certain projects should be treated as high-risk by default - for example. those that:
"involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller"
"New technologies" is not clearly defined in the GDPR - but the UK's Data Protection Authority - the Information Commissioner's Office (ICO) - suggests that it means:
"new developments to the state of technological knowledge in the world at large, rather than technology that is new to you [or] the innovative application of existing technologies to process data in new ways or for new purposes."
The European Data Protection Supervisor gives the example of the Internet of Things:
When the Global Privacy Enforcement Network conducted a survey of Internet of Things devices, it found that 60 percent of them did not properly inform users about how they process personal data. This is an example of why a DPIA is so important.
Some projects are riskier than others by nature. Factors that might contribute to risk include:
The nature of the personal data itself can also be a risk factor. The risks will be higher if you're processing "special category" data. This type of data is defined at Article 9 of the GDPR, and includes information about a person's:
Under Article 10 of the GDPR, criminal record data is also considered sensitive. It should be treated in the same way as special category data in most contexts.
Here are some examples from the ICO of the types of activities that might, by their nature, require a DPIA:
If your project involves automated decision-making and profiling with legal or similarly significant effects, you may also need to carry out a DPIA. This concept is described most comprehensively at Recital 71. It refers to situations where very important decisions, such as the denial of credit or restriction of access to important services or utilities are made without human intervention.
The larger in scale your project becomes, the more likely data breaches become. It's easier to lose track of people's personal data if you're processing a lot of it.
The scope of a project is a really important consideration, as shown in these two examples from the European Commission:
A doctor processes highly sensitive special category data, does so on a small scale. Therefore, they do not require a DPIA.
A bus company is likely to be processing less sensitive data - but in this example, they are monitoring people on a large scale. Therefore, they do require a DPIA.
If you plan to do any of those things or anything with a similar type of processing, you will need to conduct a DPIA.
Article 35 (7) provides the most information about what a DPIA should include:
And here's some guidance from Recital 90 of the GDPR:
"[A DPIA] should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation."
Firstly, you'll need to establish why a DPIA is required for this particular project. This will involve a brief description of the project, particularly any "risky" aspects. For example, your project might involve one of the following activities identified as likely to require a DPIA by the Article 29 Working Party:
Next, you'll need to give a more comprehensive description of the various aspects of the project. Article 35 (1) of the GDPR mentions the nature, scope, context and purposes of the project.
This part of your DPIA refers to a consultation with the individuals and other stakeholders involved in your project including those whose personal data you plan to process.
This doesn't mean consulting with a Data Protection Authority - but this might also be necessary later.
In this section you should answer the following questions:
The Article 29 Working Party suggests that there are a number of ways you could carry out this consultation, depending on the context:
Any decision to go ahead with the project despite disagreement or reservations coming from your stakeholders should be noted and justified.
Necessity and proportionality are important concepts, which come up a lot throughout the GDPR.
In this section you'll need to answer the following questions:
Ultimately the DPIA is a process by which to reduce risk. But first, you'll need to fully explore your project to identify what the potential risks are.
You'll notice the phrase "risks to rights and freedoms" comes up a lot in the GDPR. This is discussed at Recital 75. A project might cause a risk to people's rights and freedoms if it leaves them vulnerable to things such as:
Here we can use Recital 90 of the GDPR as our guide. Think carefully about each aspect of the project and the different ways you'll be processing personal data. Make note of:
You can then rank each factor as low, medium or high risk. The ICO provides the following matrix which might help with this:
In this part of the process, you'll be considering what measures you can take to mitigate or eliminate the risks you identified in the previous section.
Sometimes the only way to eliminate or even mitigate a risk is to decide not to undertake a particular part of your project. For example, if you don't think you'll be able to keep sensitive personal data safe - don't collect it.
There may be technical solutions available, such as those suggested at Recital 78. Or methods such as:
For each risk, note the measure that you will be adopting to mitigate against it. Then decide whether the residual risk is likely to be high, medium or low.
The GDPR places great importance on record-keeping. Once you have completed all the previous sections, you will need to have the project signed off by your Data Protection Officer (if you have one).
If there are any serious risks that you have not been able to successfully mitigate against, particularly if you still have risk factors that remain "high" at the end of your assessment, you should consult with your Data Protection Authority.
Your Data Protection Authority should be able to offer advice on whether you can mitigate the risk, or whether the project may still go ahead despite the high risk. You may be required to complete another DPIA and resubmit it to them.
The DPIA is an important process that will help you protect your customers and your organization. It is an ongoing process which you must document throughout. It's required for projects that are naturally high-risk, are broad in scope, or involve new technologies.
Your DPIA should consist of the following steps:
Remember that at the end of your DPIA you may need to repeat the process or even abandon the project.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.