The EU General Data Protection Regulation (GDPR) aims to improve data protection standards across the EU. To achieve this, it empowers individuals with rights over their personal data and provides a system of remedies for when things go wrong. But perhaps most importantly, it seeks to ensure that personal data is processed securely in the first place.
A Data Protection Impact Assessment (DPIA) (sometimes called a Privacy Impact Assessment) is a process designed to ensure that particularly high-risk data processing is carried out safely. It helps organizations identify risks and find solutions to any potential problems before they occur.
Let's look at how a DPIA can help your company ensure that a data processing project is GDPR-compliant.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. What is a DPIA?
- 2. When is a DPIA Needed?
- 2.1. New Technologies
- 2.2. Nature of the Project
- 2.3. Scope of the Project
- 2.4. Requirements of Data Protection Authorities
- 3. What Should a DPIA Include?
- 3.1. Identify the Need for a DPIA
- 3.2. Details of the Project
- 3.3. Consultation Process
- 3.4. Assessing Necessity and Proportionality
- 3.5. Identifying and Assessing Risk
- 3.6. Safeguarding Against Risk
- 3.7. Recording the Outcomes
- 4. Summary of Your Data Protection Impact Assessment
What is a DPIA?
For a full picture of what a DPIA is and how to carry it out, we have to look beyond the text of the GDPR itself.
The Working Party describes a DPIA as:
"a process designed to describe the processing, assess the necessity and proportionality of processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data."
So, a DPIA is a process that:
- Describes a data processing activity or project
- Assesses whether the project is:
- Manages the risks associated with the project
The Working Party also describes a DPIA as "a process for building and demonstrating compliance" with the GDPR.
It will help you apply the GDPR's principles and keep people's personal data safe. As part of your assessment, you'll produce a document which demonstrates that you've done the necessary work to carry out high-risk data processing.
When is a DPIA Needed?
Not every project will require a DPIA. But if your project does fit the requirements, a failure to carry out a DPIA could land you in serious trouble.
Article 35 (1) of the GDPR tell us when a DPIA is required:
"a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons"
In the rush to get products to market, companies can sometimes fail to properly consider their privacy implications. The GDPR suggests that certain projects should be treated as high-risk by default - for example. those that:
"involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller"
"New technologies" is not clearly defined in the GDPR - but the UK's Data Protection Authority - the Information Commissioner's Office (ICO) - suggests that it means:
"new developments to the state of technological knowledge in the world at large, rather than technology that is new to you [or] the innovative application of existing technologies to process data in new ways or for new purposes."
The European Data Protection Supervisor gives the example of the Internet of Things:
When the Global Privacy Enforcement Network conducted a survey of Internet of Things devices, it found that 60 percent of them did not properly inform users about how they process personal data. This is an example of why a DPIA is so important.
Nature of the Project
Some projects are riskier than others by nature. Factors that might contribute to risk include:
- The way in which you're collecting personal data
- The methods you're using to store it
- The people with whom you might share it
The nature of the personal data itself can also be a risk factor. The risks will be higher if you're processing "special category" data. This type of data is defined at Article 9 of the GDPR, and includes information about a person's:
- Political views
- Religion or beliefs
- Sex life
- Genetic, biometric or health data
- Union membership
Under Article 10 of the GDPR, criminal record data is also considered sensitive. It should be treated in the same way as special category data in most contexts.
Here are some examples from the ICO of the types of activities that might, by their nature, require a DPIA:
If your project involves automated decision-making and profiling with legal or similarly significant effects, you may also need to carry out a DPIA. This concept is described most comprehensively at Recital 71. It refers to situations where very important decisions, such as the denial of credit or restriction of access to important services or utilities are made without human intervention.
Scope of the Project
The larger in scale your project becomes, the more likely data breaches become. It's easier to lose track of people's personal data if you're processing a lot of it.
The scope of a project is a really important consideration, as shown in these two examples from the European Commission:
A doctor processes highly sensitive special category data, does so on a small scale. Therefore, they do not require a DPIA.
A bus company is likely to be processing less sensitive data - but in this example, they are monitoring people on a large scale. Therefore, they do require a DPIA.
Requirements of Data Protection Authorities
If you plan to do any of those things or anything with a similar type of processing, you will need to conduct a DPIA.
What Should a DPIA Include?
Article 35 (7) provides the most information about what a DPIA should include:
- A systematic description of the project, with details about the purposes of the data processing and legitimate interests (where relevant)
- An assessment of whether the project is necessary and proportionate
- A risk assessment
- Details of the measures taken to safeguard against risks
And here's some guidance from Recital 90 of the GDPR:
"[A DPIA] should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation."
Identify the Need for a DPIA
Firstly, you'll need to establish why a DPIA is required for this particular project. This will involve a brief description of the project, particularly any "risky" aspects. For example, your project might involve one of the following activities identified as likely to require a DPIA by the Article 29 Working Party:
- Evaluation or scoring
- Automated decision-making
- Systematic monitoring, particularly of a large public area
- Processing highly personal data, including special category or criminal conviction data, biometric, health or genetic data
- Large-scale personal data processing
- Combining sets of data from different sources in a way that people might not reasonably expect
- Processing vulnerable people's personal data including children, disabled persons or your employees
- Using new technology or applying existing technology in a novel or untested way
Details of the Project
Next, you'll need to give a more comprehensive description of the various aspects of the project. Article 35 (1) of the GDPR mentions the nature, scope, context and purposes of the project.
- What categories of personal data will you be processing?
- Will you be processing sensitive personal data?
- What methods are you using to collect personal data?
- How will the personal data be stored?
- How will you be using personal data?
- How will it be safely deleted?
- Are you collecting personal data from third-party sources?
- Will you be sharing personal data with third-party recipients?
- How much personal data will you be collecting?
- From how many people?
- Does this represent a substantial proportion of the population?
- What geographical area will it cover?
- How long will you be retaining the personal data?
- What's your relationship with the individuals whose personal data you're processing?
- How will they maintain control over their personal data?
- Is the project in line with their reasonable expectations?
- Have there previously been any incidents or concerns relating to this type of processing?
- Are you using new technology, or applying existing technology in a novel way?
- Are you part of an approved certification scheme or adhering to an approved code of conduct?
- What is the aim of the project?
- What effect should it have on the individuals whose personal data you're processing?
- Who will benefit, and how?
This part of your DPIA refers to a consultation with the individuals and other stakeholders involved in your project including those whose personal data you plan to process.
This doesn't mean consulting with a Data Protection Authority - but this might also be necessary later.
In this section you should answer the following questions:
- Are you planning to consult with the individuals whose personal data you plan to process?
- If not - why not? You must justify this decision.
- Is there anyone else within your organization, who is not directly involved in the project that you need to consult?
- Do you need to consult with any data processors that you plan to engage as part of the project?
- Do you need to bring in outside experts - for example, information security or technology consultants?
The Article 29 Working Party suggests that there are a number of ways you could carry out this consultation, depending on the context:
- A "generic study" about the type of data processing the project involves
- A question to staff representatives
- A survey sent out to potential future customers
Any decision to go ahead with the project despite disagreement or reservations coming from your stakeholders should be noted and justified.
Assessing Necessity and Proportionality
Necessity and proportionality are important concepts, which come up a lot throughout the GDPR.
- Necessity - is processing people's personal data in this way necessary in order to achieve the aims of the project?
- Proportionality - is this a proportionate way to process people's personal data? Are there less risky or intrusive ways to achieve the aims of the project?
In this section you'll need to answer the following questions:
- What is your legal basis for the different types of processing in the project?
- How does the processing achieve the project's purpose?
- How you considered alternative ways to achieve the same outcome?
- What measures will you take to prevent "function creep?"
- How will you apply the principles of purpose limitation and data minimization?
- How will you facilitate your users' data rights?
- If you're using third-party data processors, how will you construct your data processing agreements to ensure they act safely?
- How will you ensure the security of any international data transfers?
Identifying and Assessing Risk
Ultimately the DPIA is a process by which to reduce risk. But first, you'll need to fully explore your project to identify what the potential risks are.
You'll notice the phrase "risks to rights and freedoms" comes up a lot in the GDPR. This is discussed at Recital 75. A project might cause a risk to people's rights and freedoms if it leaves them vulnerable to things such as:
- Identity theft or fraud
- Financial loss
- Reputational damage
- Confidentiality breaches
- Revealing of sensitive information
Here we can use Recital 90 of the GDPR as our guide. Think carefully about each aspect of the project and the different ways you'll be processing personal data. Make note of:
- When and where the risk arises (the source)
- The likelihood that harm will occur
- How severe the harm would be
You can then rank each factor as low, medium or high risk. The ICO provides the following matrix which might help with this:
Safeguarding Against Risk
In this part of the process, you'll be considering what measures you can take to mitigate or eliminate the risks you identified in the previous section.
Sometimes the only way to eliminate or even mitigate a risk is to decide not to undertake a particular part of your project. For example, if you don't think you'll be able to keep sensitive personal data safe - don't collect it.
There may be technical solutions available, such as those suggested at Recital 78. Or methods such as:
- Internal policies or guidance on data protection
- Shortening of storage periods
- Allowing opt-outs
- Strict data sharing agreements
For each risk, note the measure that you will be adopting to mitigate against it. Then decide whether the residual risk is likely to be high, medium or low.
Recording the Outcomes
The GDPR places great importance on record-keeping. Once you have completed all the previous sections, you will need to have the project signed off by your Data Protection Officer (if you have one).
If there are any serious risks that you have not been able to successfully mitigate against, particularly if you still have risk factors that remain "high" at the end of your assessment, you should consult with your Data Protection Authority.
Your Data Protection Authority should be able to offer advice on whether you can mitigate the risk, or whether the project may still go ahead despite the high risk. You may be required to complete another DPIA and resubmit it to them.
Summary of Your Data Protection Impact Assessment
The DPIA is an important process that will help you protect your customers and your organization. It is an ongoing process which you must document throughout. It's required for projects that are naturally high-risk, are broad in scope, or involve new technologies.
Your DPIA should consist of the following steps:
- Identify the need for a DPIA
- Describe the project in detail
- Consult with key stakeholders
- Assess the project's necessity and proportionality
- Identify and assess the risks involved in your project
- Describe the measures you will take to safeguard against the risk
- Consult with your Data Protection Officer and possibly your Data Protection Authority and record the outcomes
Remember that at the end of your DPIA you may need to repeat the process or even abandon the project.