So what is a Data Protection Impact Assessment and why should organizations care?

If you’ve read anything about the upcoming General Data Protection Regulation (GDPR), you’ll probably have seen the phrase Data Protection Impact Assessment (DPIA) used. It’s similar to the current Privacy Impact Assessment (PIA) already in place in countries like the UK and a DPIA is expected to address four areas:

  • A description of the envisaged processing operations and the purposes of the processing
  • An assessment of the necessity and proportionality of the processing operations
  • An assessment of the risks to the rights and freedoms of the data subjects concerned
  • The measures which will be put in place to address those risks and demonstrate compliance

There are, however, some key differences to existing regulations. Firstly, while PIAs are optional, DPIAs are not. They’re being introduced to help organizations comply with GDPR – and demonstrate that compliance. A failure to conduct a DPIA when one is deemed appropriate, doing it incorrectly, or even failing to consult the regulatory authority when required can lead to a fine of up to 2% of an organization’s turnover, or €10 million.

Secondly, this isn’t a typical risk assessment exercise where the focus is on the organization. Instead, it should be conducted from the point of view of the individuals, or data subjects, involved to manage the risks to their rights and freedoms.

And finally, the GDPR specifically points out that a DPIA is the responsibility of the ‘controller’. A controller is the company or organization which determines the purposes and means of processing data. A bank, for example. So even if the bank outsources the processing of data to a specialist service provider, it is still liable for complying with the GDPR and completing a DPIA where appropriate.

All of that said, let’s look at the introduction to Article 35 of the GDPR which talks about when a DPIA is required:

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

Note the use of the phrase in the first line: in particular using new technologies. There’s a certain ambiguity here because that could refer to emerging technologies like Amazon’s digital assistant, Alexa, or it could refer to technologies that an organization or company is introducing for the first time, like fingerprint recognition.

Also, note the important phrase in the third line: prior to the processing. In line with the ‘data protection by design and by default’ concept that the GDPR introduces, a DPIA has to be in place before data is gathered or processed. The Data Protection Working Party, the EU body which currently provides advice and promotes the consistent application of data protection regulations, also ‘strongly recommends’ carrying out a DPIA for processing operations already underway.

That’s the important stuff out of the way. A DPIA isn’t optional for certain kinds of processing, there’s a heavy penalty for not complying, and it’s the responsibility of organizations or companies which use data, not third parties who process it.

What processing is subject to a DPIA?

Article 35 of the GDPR talks in general about automated processing and profiling, processing on a large scale, and systematic monitoring of public areas, but doesn’t go into detail beyond this.

To provide some direction, the Data Protection Working Party has issued some guidelines which include the kind of processing operations which are likely to introduce a risk to data protection rights or freedoms:

  1. Evaluation or scoring, including profiling
  2. Automated decision-making
  3. Systematic monitoring of individuals
  4. The processing of sensitive data
  5. The processing of data on a large scale
  6. Matching or combining datasets
  7. The processing of data concerning vulnerable data subjects
  8. The innovative use or application of technological or organizational solutions
  9. When the processing in itself prevents data subjects from exercising a right or using a service or a contract

The rule of thumb is that if the proposed processing meets one of the above criteria, it may not require a DPIA, whereas if it meets two or more of the criteria, it will require a DPIA.

A mailing list used to send a weekly digest to subscribers to an online golf magazine, for example, won’t require a DPIA, even if it’s a large list. If that same list is combined or cross-referenced with other lists to create an enhanced list where offers can be targeted based on income or zip code, then it will require a DPIA.

The default position here is that if you’re unsure whether a DPIA is necessary, do one. The upside is that it will help you understand exactly what data is being processed and why, what the risks are, and how those risks are being addressed. There is no downside.

What is the content of a DPIA?

Rather than defining the precise format of a DPIA, the GDPR leaves it open so that organizations can create one that complements their existing working practices, and matches frameworks already in place, instead of forcing them to change.

In the UK, for example, the Information Commissioner’s Office already has a code of practice for conducting privacy impact assessments. Similarly, the European Union’s Smart Grid Task Force has produced a data protection impact assessment template for smart grid and smart metering systems, which is a valuable sector-specific resource.

Whichever approach is taken, the GDPR does stress that the minimal content of a DPIA should cover the four key areas mentioned earlier.

Finally, once a DPIA has been completed, that’s not the end of the story. The final sentence of Article 35 specifically says:

Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.

So ongoing monitoring is also part of the requirements for compliance, and the risk to the rights and freedoms of data subjects need to be evaluated and reviewed regularly.

The most valuable resource I’ve found regarding DPIAs are the guidelines I mentioned earlier from the Data Protection Working Party. Of particular value are the appendices which include examples of existing EU frameworks and the criteria for an acceptable DPIA in the form of a check list.

You can find out more about keeping sensitive data secure on Redgate’s Data Privacy and Protection pages.

If you’d like to gain a deeper understanding of the GDPR, you can also read Richard’s other posts on the topic:

So what is GDPR, and why should Database Administrators care?

So what is GDPR, and why should your customers care?

So what is data mapping and why is it the key to GDPR compliance?

This blog post was first published on Dataversity on 13 February 2018.