A data protection impact assessment (DPIA) is a form of risk assessment that is designed to help organizations identify, analyze and minimize the privacy risks associated with a given project. All entities (with some exceptions) covered by the General Data Protection Regulation (GDPR) must carry out regular DPIAs as a part of the “privacy by design” principle. A failure to do so could result in legal action, including potentially steep fines.
Benefits of a Data Protection Impact Assessment (DPIA)
Even if the GDPR is not relevant to your organization, conducting a DPIA will help you minimize the likelihood and severity of a data breach, and help you comply with other data privacy regulations. Conducting a DPIA will enable you to recover from security incidents in a fast and efficient manner, and avoid costly fines and lawsuits.
When are Data Protection Impact Assessments Required?
According to Article 35 of the GDPR, a DPIA is required under the following circumstances:
“Where a type of processing, in particular, using new technologies and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
Any project that started on or after May 25, 2018, will require a DPIA. This also applies to projects that started before that date but have since changed in such a way that might introduce new privacy risks. Essentially, any data processing activities that present a risk to the rights and freedoms of EU citizens, will be subject to a DPIA. Such activities might include the large-scale processing of personal data, conducting personal evaluations of individuals, and the surveillance of public areas. Organizations are not required to conduct a DPIA if they are processing data on behalf of the public, or have a legal obligation to do so. Below are some additional notes about the conditions in which a DPIA is required.
Large-scale data processing: This includes the number of data subjects involved, the territorial scope of the project, and the duration of the processing activities.
Profiling: In order to protect data subjects from unfair discrimination, any processing activities that evaluate or score an individual based on their performance at work, health, gender, race, religion, economic situation, and other factors such as the data subject’s personal preferences, interests, behavior, and so on.
Automated decision-making: As above, any data processing activities that rely on automated decision-making must be carefully reviewed to ensure that it doesn’t result in unfair discrimination against an individual.
Physical surveillance: Organizations that use surveillance technologies to monitor data subjects in public areas are required to conduct a DPIA.
Processing data belonging to vulnerable individuals: This includes children, people who have a mental illness, and anyone else who may not have the ability to oppose the processing of their data.
Merging or comparing data sets: An organization must conduct a DPIA when data processing activities include merging or comparing multiple sets of data collected for different purposes.
Processing biometric data: This includes the use of fingerprint scanners and facial recognition software, and also includes the use of Internet of things (IoT) devices.
Transferring of data outside the EU: This is when an organization expands its services to a country outside of the EU.
Restricting a data subject’s access to services: In some circumstances, a data subject may be denied access to a service based on information that the organization has collected on their behalf. In these circumstances, a DPIA will need to be carried out.
5 Steps to a Successful Data Protection Impact Assessment (DPIA)
Step 1: Determine whether a DPIA is required for your project– Naturally, the first step is to find out if you actually need to conduct a DPIA for your project. This includes documenting the nature, scope, context, and purpose of the processing activities involved.
Step 2: Appoint the relevant personnel – In addition to appointing a Data Protection Officer (DPO), which is mandatory if the organization’s core activities consist of data processing operations that require the systematic monitoring of data subjects on a large scale, the organization will need to appoint a project leader. They may also choose to hire IT professionals, lawyers, analysts, and other professionals who have extensive experience with data privacy.
Step 3: Create an inventory of your assets and identify potential vulnerabilities – You will need to create a prioritized list of critical assets and resources and document any potential threats. A good place to start would be to use automated data discovery and classification tool to help you identify what sensitive data you have, and where it is located. Bear in mind that you will also need to keep an inventory of your physical assets, which includes drives, devices, servers, routers, printers, and so on. Next to each of these assets, you will need to document the different ways they can be compromised, and what the potential impact would be if they were. This would also include developing an understanding of which other systems and data rely on those assets.
Step 4: Document all tools and processes that are used to mitigate risks – As with your critical assets and resources, you will need to create an inventory of the security tools and processes you already have in place to minimize the likelihood of a security breach. You will also need to make a note of what threats these tools and processes help to mitigate, and how. Any relevant technologies and processes that you don’t currently have, but think would help to improve your security posture, should also be noted.
Step 5: Produce a DPIA report – The final step is to produce a comprehensive report which provides a detailed description of the project, the purpose of the project, and its scope. All information from the previous steps should be included in this report. Your DPIA report should also include information about the steps your organization has taken to mitigate risks and comply with the GDPR requirements. Even if it is not a requirement of the GDPR, it is good practice to publish your DPIA report as this will demonstrate transparency and accountability to your stakeholders, not to mention your customers. All relevant personnel, including the DPO, should be involved in the report, and you will need to get it signed off by the supervisory authorities.
If you’d like to see how Lepide can help you analyze risk to your sensitive data and compliance readiness, schedule your free risk assessment today.