In May of 2018, after a two-year grace period, the General Data Protection Regulation (GDPR) was finally activated. GDPR exists to ensure that every company around the globe that either offers goods or services to, or monitors the behavior of, EU data subjects is much more responsible for the protection of their personal data.
For the individual person, the GDPR grants several rights with regards to the processing and movement of personal data, including: mandatory consent before collecting, storing and processing personal information; access and portability of personal data; data breach notifications; and the right to be forgotten, amongst others. As for the companies that must comply with this new regulation, there is no shortage of challenges, including the execution of a data protection impact assessment (DPIA).
DPIA — Data Protection by Design and by Default
One of the key elements of GDPR is requiring the implementation of appropriate technical and organizational controls to enforce the data protection principles and safeguard individual rights. In fact, this concept is not new, and is commonly referred to as “privacy by design” or, most recently, as “data protection by design and by default.” The real change is the fact that with the GDPR in effect, this is now a legal requirement.
The data protection impact assessment (DPIA), also known as Privacy Impact Assessment (PIA), is an integral part of the “data protection by design and by default” approach. As pointed out in GRPR Article 35, a DPIA is necessary when the type of processing is likely to result in a high-risk situation for the rights and freedoms of natural persons, including the use of new technologies, automatic systematic processing and evaluation of personal information, large-scale monitoring of a publicly-accessible area, and large-scale processing of sensitive data like biometrics.
To put it simply, the idea behind the DPIA is to create a process for systematically and comprehensively analyzing data processing, so as to identify and minimize data-protection risks.
How to Conduct a Data Privacy Impact Assessment
While the GDPR does not directly specify the DPIA process step by step, it allows for organizations to use a framework that complements their existing working practices. For example, adopting the Privacy Impact Assessment (PIA) from the Information Commissioner’s Office (ICO) is a great approach.
The basic steps are:
1. Identifying the Need for a DPIA
The best moment to conduct a DPIA is as early as possible within any new project life cycle. This way, it will be easier for your company to incorporate any findings and recommendations into the design of the processing operation.
It is important to remember that a DPIA is only mandatory in specific cases where data processing is likely to result in a high risk to the rights and freedoms of natural persons. The GDPR explicitly mentions three primary conditions when the DPIA is necessary:
- A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
- Processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences
- A systematic monitoring of a publicly-accessible area on a large scale
2. Describing the Information Flow
Once you confirm the DPIA is mandatory, the next step is describing the information flow. For instance, it is necessary to provide details on how the information within the processing operation is collected, stored, used and disposed.
3. Identifying Data Protection and Related Risks
As mentioned before, the idea of the DPIA is to understand and reduce data privacy risks to an acceptable level. This will require a clear view of all threats and vulnerabilities for the data processing operation and should result in a risk catalog including both the likelihood and the severity of any impact on the rights and freedoms of individuals whose data you collect and/or process.
4. Identifying Data Protection Solutions to Reduce or Eliminate the Risks
After creating your risk catalog, the next logical step is identifying the necessary protection solutions to reduce or eliminate the risks. In other words, your company should define controls to either mitigate, avoid, transfer or accept the risks.
As with any risk-management approach, for most cases it will not be necessary to completely extinguish a specific risk; the idea is reducing its likelihood and impact to acceptable levels.
5. Sign Off the Outcomes of the DPIA
After risk decisions are taken, it is necessary to create a record of the DPIA outcomes and have it signed off by the parties responsible for the mentioned decisions.
It is important to remember that when a high-level risk that was identified cannot be mitigated, the organization must submit the DPIA to the regulatory authority for consultation before processing.
6. Integrate Data Protection Solutions Into the Project
As a last step, it is necessary to make sure the DPIA outcomes, such as security controls, are completely integrated into your project. Consider reviewing and revisiting the DPIA when necessary, especially in cases where there is a meaningful change to your project.
Leaving GRPR requirements aside for just a moment, adopting a “data protection by design and by default” approach is a smart strategy for any company, and its benefits extend far beyond simple regulation compliance. Potential risks and other problems can be identified at a very early stage, which in turn will make addressing these situations both simpler and less expensive.
It will also result in an increased level of privacy and data protection awareness across the organization, reducing the probability of breaching regulations such as the GDPR and avoiding significant financial and/or reputational impact.
Conducting a DPIA is not a simple task. It should be done by professionals with sufficient expertise and knowledge of the project in question and use the advice from your appointed data protection officer (DPO). So if your staff does not possess sufficient the necessary experience, your best bet is investing in training or using external specialists to consult on or to carry out the DPIA.
Art. 35 GDPR – Data protection impact assessment, Intersoft Consulting