The global impact of the GDPR continues to increase. Companies no longer operate solely in one country; rather, they have an international network. Consequently, the GDPR pertains to US companies just as much as EU members. DPIAs, Data Protection Impact Assessments, serve as one component of the GDPRs risk assessment line-up. Read on to learn more about when a DPIA is needed.
What Is a DPIA?
A DPIA is simply a more specific type of risk assessment. The GDPR requires a DPIA for high-risk data such as Personally Identifiable Information (PII). The GDPR’s requirements highlight the shift from reactive cybersecurity strategies to more proactive, preventive measures. Specifically, Regulation 2016/6791 (GDPR), Article 35 of the GDPR introduces the concept of a Data Protection Impact Assessment (DPIA2), as does Directive 2016/6803.
Why Is a DPIA Important?
A DPIA looks at how data is processed and how that processing puts the rights and freedoms of individuals at risk. In other words, a DPIA is a process for building and demonstrating compliance and encompasses that origin, nature, particularity, and severity of risks to personal data. For example, a DPIA may address the collection necessity and proportionality (to a company’s size) in order to better manage the risks of personal data. DPIAs serve as tools for maintaining accountability, as they help controllers not only comply with GDPR requirements but also to demonstrate that appropriate measures have been taken to ensure compliance.
Under the GDPR, non-compliance with DPIA requirements may result in fines imposed by the competent supervisory authority. Fines may occur in the following scenarios
- Failure to carry out a DPIA when required by GDPR guidelines. the processing is subject to a DPIA (Article 35(1) and (3)-(4)), carrying out a DPIA in an incorrect way (Article 35(2) and (7) to (9)), or
- Failing to consult the competent supervisory authority where required. (Article 36(3)(e)), can result in an administrative fine of up to 10M€, or in the case of an undertaking, up to 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.
How Do I Know If I Need a DPIA?
A DPIA may seem like just another acronym in the growing pool of risk assessments, but it doesn’t have to be confusing. The first step is understanding when a DPIA is required. It’s important to keep in mind that a DPIA is not mandatory for every processing operation; rather, it is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1). In cases where it is not clear whether a DPIA is required, the WP29 recommends that a DPIA is carried out nonetheless as a DPIA is a useful tool to help controllers comply with data protection law. Basically, it is better to be safe than sorry.
What is High Risk?
At first, the definition of high risk appears rather subjective; however, article 35(3) of the GDPR provides some examples to more easily identify what processing operations are likely to result in high risk:
- “(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person12;
- (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offenses referred to in Article 1013; or
- (c) a systematic monitoring of a publicly accessible area on a large scale”. DPIA-Required Scenarios
The difficulty in determining “high risk” is that the GDPR doesn’t provide concrete boundaries for when a DPIA is necessary. However, the GDPR does specify that if data processing includes profiling, large-scale use of sensitive data, or public monitoring, a DPIA should be conducted. Other scenarios that would require a DPIA include:
- the implementation of new technologies
- tracking behaviors and locations or “aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements”
- if processing “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”
- if automated decision software processing that aims at taking decisions on data subjects producing “legal effects concerning the natural person” or which “similarly significantly affects the natural person.” For example, a bank may use software to pre-screen individuals for a loan.
- if processing child data
- if processing data about an individual’s preferences or beliefs, such as information about individuals’ political opinions or data relating to criminal convictions
In most cases, a data controller can consider that a processing meeting two criteria would require a DPIA to be carried out. However, in some cases, a data controller may deem that a processing meeting only one of these criteria requires a DPIA.
For more clarification, the chart below breaks down types of processing that will likely require a DPIA and provides related examples.
Other DPIA Impacting Factors
- The volume of data and/or the range of different data
- The duration, or permanence, of the data processing activity
- The geographical extent of the processing activity (how many companies or countries does data pass-through)
Like many risk assessments, a DPIA is scalable and changes on a case-by-case basis. The International Association of Privacy Professionals (IAPP) provides a DPIA template to determine whether a DPIA is necessary. When it comes to tackling a DPIA, there are a few options.
- A company can single-handedly research and identify if a DPIA is required
- A company can hire a third-party evaluator
- Or a company can utilize only software to assist in determining the necessity of a DPIA.
In all likelihood, some combination of these three options will be the most beneficial.
To help mitigate ambiguity and create some level of uniformity when composing a DPIA, the European Commission released Guidelines on Data Protection Impact Assessments. In general, a DPIA should have the seven sections outlined below:
- Identify the DPIA Need – summarize why there is a need for a DPIA and what processes are involved
- Describe the Processing – This section should outline the collection, use, and deletion of data, as well as the reasoning behind the data collection. Additionally, include what kind of processing is used and why it constitutes a high risk.
- Consultation Process – Identify who needs to be kept in the loop regarding risks and processing, such as stakeholders and security experts.
- Assess Necessity and Proportionality – Identify the processing lawfulness and data quality/minimization while also limiting function creep and respecting personal/consumer rights.
- Identify and Assess Risks – List the likely sources of risk and the potential impact on individuals.
- Identify measures to reduce risk – Options to reduce or eliminate the risk and to what extent the risk will be limited.
- Signatures and Notes – Lastly, have official signatures (such as department leads or consulting parties) and include any additional comments.
DPIAs provide companies with an opportunity to assess what data is being collected and how that data plays a role in operations. Although it may seem like just another assessment, a DPIA can help better allocate resources and improve efficiency, in addition to strengthening security measures. If you need assistance identifying if a DPIA is necessary or creating a DPIA template, contact RSI Security today.