Data Protection Impact Assessments (DPIAs) are an often misunderstood element of GDPR compliance. Like so much of the GDPR there is little precision in the regulations, but a process must be followed and an artefact must be produced. This DigiTorc article, one of a series of occasional articles, defines:
- What a DPIA must consist of?
- Which processing activities require a DPIA?
- When a DPIA has to be completed?
- Who should perform a DPIA?
No doubt there will be further articles exploring DPIAs in future depending on demand.
What is a DPIA?
A DPIA is a process designed to help you systematically analyse, identify and minimise the data protection risks of a project or plan. While the GDPR does not formally define the concept of a DPIA, it does specify in Article 35(7) as a minimum it must cover these four points:
Description of the data processing activity.
The DPIA requires “a systematic description of the envisaged processing operations and the purposes of the processing”, this should be produced so that the DPIA is a self-contained document including a narrative about what is proposed. Remember that under the “Purpose Limitation” principle, you need to be clear about what is proposed. If you want to use CCTV for both security monitoring and staff timekeeping you need to state this up front.
Proportionality of data processing
Having described what is proposed the next step is to explain why this is a required or in the GDPR jargon a “proportionate” response. This should be in the form of “an assessment of the necessity and proportionality of the processing operations in relation to the purposes” Often at this point projects are cancelled as organisations realise that there is another way to achieve the same end without intrusive personal data processing.
Risk of processing the data
GDPR relies heavily on risk assessments. There are many risk assessment methodologies available for example in PEMBOK.
In GDPR the DPIA must contain “an assessment of the risks to the rights and freedoms of data subjects”. This can be difficult for an organisation to conceive of and is worth taking advice from other similar organisations. Broadly speaking, risks are often measured in multiple dimensions. Pairs of dimensions like impact and probability or severity of damage and likelihood of occurrence are often used to categorise risk.
It is normally worth looking carefully at the medium and higher probability events caused by carelessness and human frailty. Whereas we are normally tempted to focus almost exclusively on high impact events with a negligible probability.
Safeguards which can be applied
To conclude the DPIA the document needs to contain some risk mitigation steps. This section should cover “the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned”
Normally the risks outlined in the previous section are treated one by one in an attempt to reduce the residual risk to a trivial or at least a manageable level. Failing this, if the risk remains high, the organisation must consult with the DPC.
Which activities require a DPIA?
The GDPR does not require a DPIA to be carried out for every processing operation which may result in risks for the rights and freedoms of natural persons. As mentioned above in-keeping with the risk-based approach embodied by the GDPR, a DPIA is only mandatory where processing is “likely to result in a high risk to the rights and freedoms of natural persons” (see Article 35(1), Article 35(3) and Article 35(4)). It is particularly relevant when a new data processing technology is being introduced.
The European Data Protection Board (EDBP) is not producing a common European Union list of processing operations for which a DPIA is mandatory (Article 35(4)). Contrary to some ill-informed commentary the EDPB have taken the view that “the GDPR calls for the national supervisory authorities to create and publish lists of types of operations that are likely to result in a high risk. This has resulted in 22 national lists with an overall of 260 different types of processing. The draft Irish Data Protection Commissioner’s list is here.
In cases where it is not clear if a DPIA is required, WP29 recommends that a DPIA is carried out nonetheless as a DPIA is a useful tool to help controllers comply with data protection law. Just as in the case of appointing a DPO, when in doubt about a performing a DPIA it is good practice to do one anyhow. Most of the 99 articles in GDPR require documentation to verify compliance, with that mindset, having a DPIA which records the decision making process could be key in protecting your organisation in case of a future audit.
In general GDPR practitioners and professionals should note we normally talk about high risk “to the rights and freedoms of individuals” (Article 35). This is normally understood to be the rights to data protection and privacy. But the WP 29 Statement on the role of a risk-based approach in data protection legal frameworks (adopted 30 May 2014) invokes other fundamental rights such as freedom of speech, freedom of thought, freedom of movement, prohibition of discrimination, right to liberty, conscience and religion. This wider context must inform the decision to commission a DPIA, especially when sensitive data is involved.
When a DPIA has to be competed?
The answer to his question is surprisingly clear. The DPIA should be carried out “prior to the processing” (Articles 35(1) and 35(10), recitals 90 and 93)23. This is consistent with data protection by design and by default principles (Article 25 and recital 78). The DPIA should be seen as a tool for helping decision-making concerning the processing and not a compliance too after the fact.
Who should perform a DPIA?
The data controller as the organisation which decides on the purpose of data processing is responsible for ensuring that the DPIA is carried out (Article 35(2)).
The responsibility for commissioning a DPIAs is clarified by recital 84 as follows: “In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk”. Recital 84 goes on to say that the data controller needs to act on the output of the DPIA. “The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with this Regulation”.
While the responsibility remains with the data controller, carrying out the DPIA may be done by someone else, inside or outside the organization. The skill set required to execute a DPIA is normally found in individuals or organisations who have prior experience in working with some or all of these national frameworks:
- Germany: Standard Data Protection Model
- Spain: Guía para una Evaluación de Impacto en la Protección de Datos Personales (EIPD), Agencia española de protección de datos (AGPD)
- France: Privacy Impact Assessment (PIA), Commission nationale de l’informatique et des libertés (CNIL)
- UK: Conducting privacy impact assessments code of practice, Information Commissioner’s Office (ICO)
Useful ideas can also be found in these two examples of EU sector-specific frameworks:
Here at DigiTorc we have standardised on the CNIL DPIA methodology which we find is an excellent and succinct way to systematically analyse, identify and minimise the data protection risks of a project or plan. While a DPIA does not have to eradicate all risk, it minimises risk and determine whether or not the level of risk is acceptable in the circumstances, taking into account the benefits of what you want to achieve. If you would like to discuss DPIAs further please contact us.