There is a special feeling when launching a new project. It is exciting, a little nerve-racking, but always bursting with potential.
Your company might be going through a similar process and feeling. But you might be unsure about the privacy implications. You might wonder, is a DPIA required under GDPR?
We all want our projects to succeed, but they might fail before they even begin without proper precautions.
This article will discuss the Data Privacy Impact Assessment (DPIA), its legal requirements, and how it can help you.
Is a DPIA a Legal Requirement?
There is some confusion within the business community when it comes to DPIA applicability. Many businesses are unsure about how the requirement relates to their projects and when to conduct one.
The General Data Protection Regulation (GDPR) is relatively straightforward about DPIA’s, but it can be daunting to understand all the text’s legalese; who has time for that anyway? This section will briefly describe article 35 of the GDPR in language that’s easier to digest.
Article 35 in the GDPR is the one relating to the DPIA, and there you will find all the legal requirements of the DPIA. We have gone ahead and shortened it, so it makes sense in a business context. But if you would like to read the whole text, you can check it out here.
The DPIA requirements boilerplate:
- DPIA is required if new technologies will affect the rights and freedoms of the individual.
- This is especially true if the new tech involves:
- Systematic monitoring of sensitive data
- A large amount of data processing, including special categories of data
- Systematic monitoring of publicly accessible data on a large scale
- Supervisory Authorities will also make available a list of activities that will require a DPIA.
Article 35 of the GDPR is longer than the points mentioned above; we dissect it for you throughout this blog post. In short, a DPIA is a legal requirement if you satisfy one of these conditions.
However, not all new projects will require a DPIA. If they involve a degree of personal data and could affect the individual’s rights and freedoms, it is necessary.
To give you a few examples, let’s look at point 2b. Special categories of data are a subsection of personal data that the GDPR refers to as “special categories.” It is data such as:
- Ethnic and racial data
- Sexual Orientation
- Biometric and genetic information
If your new technology or process involves large-scale processing of special categories of data, then you are legally required to carry out a DPIA.
Furthermore, systematic monitoring just means using the data as part of the business operation. For example, all the tracking, behavioral analytics, email subscriber listing, and profiling would be considered systematic monitoring.
These requirements outline when you should conduct a DPIA. In the next section, we will discuss why you need to perform a DPIA.
Privacy Risks, Why You Need A DPIA
The whole point of a DPIA is to assess the risk to the privacy of the data subject. We briefly mentioned it above, but the individual’s (data subject) rights and freedoms lie at the heart of the DPIA.
The rights and freedoms that the DPIA refers to are the general rights and liberties afforded to all European citizens and where the privacy risks come into play. Some examples of the rights and freedoms concerning the privacy of personal data are:
- Right to bodily integrity
- Right to no discrimination
- Right to secrecy
Violating these rights could lead to severe damage to the individual, such as:
- Physical harm
- Financial loss
- Material and non-material damages
There can be grave consequences for new projects if the proper protections are not put in place, and protection starts with a risk assessment.
The DPIA Breakdown
Fundamentally, the DPIA is a risk assessment process that analyzes the impact your project will have on the data subjects’ privacy. Of course, this would not apply if the project does not involve any personal data.
For context, we use the term “project,” but for some clarification, a project could be:
- A new internal business process (such as onboarding a new requirement software)
- A new technology that you will sell directly to the market
- A survey, questionnaire, or market research for both external and internal reporting
Any of these could be considered a “project.” Article 35 does make this point and highlights processes that use new technologies in particular. But any activity that poses a risk is subject to a data privacy impact assessment.
Unfortunately, the GDPR does not state what it classifies as a “new technology.” Is it based on technology that is new to the business or newly applied to a process? The answer is unclear, so it is better to err on the side of caution and base it on the latter.
In the coming sections, we will explore, in more detail, the makeup of a DPIA and how you can begin to use one today.
So let’s get right into the steps for implementing a DPIA.
1. Decide If A DPIA Is Necessary
The first thing you will want to do is decide if one is even necessary. The decision involves scoping out the project.
What is the makeup of the project itself?
- Does it use new technology?: a good barometer for deciding if the technology is new is to check that it’s regulated. Early-stage tech is disruptive, and it usually takes some time for regulators to understand its impact within the market.
- What kind of data will I need?: this is the factor that will decide the necessity for a DPIA. If the project requires personal data, you can be sure that a DPIA will be necessary.
- Scope the risks: carry out some preliminary or rough risk assessments. Mentally map a worst-case scenario if the project were to go wrong. What is the potential for damage where the data is lost or stolen?
By the time you get to the end of this process, you will know for sure if a DPIA is needed.
Note that you must only process personal data after the DPIA is completed and not before.
Lastly, suppose that the organization’s latest project could have a high degree of risk to the data subject’s rights and freedoms. In that case, you must consult the relevant supervisory authority. As stated prior, the supervisory authority can decide the circumstances in which a DPIA is required that lie outside the scope of article 35.
2. Analyze Existing Data Flow Map
The GDPR requires an organization that handles personal data to create a data flow map. The map will show the personal journey data takes in your information system. They are a handy data management tool, and they will help you in the DPIA.
Using the data flow map, you can analyze how the new project will affect the information system. Assessing if new technologies will disrupt information systems’ flow and identify any vulnerabilities created through its implementation.
Take all this new information and adapt or change the data map to suit the new project. You will gain a deeper understanding of how the new project will impact the data subjects’ privacy.
3. Assess Privacy Risks
The next step, which is also the point of the DPIA, is to assess the privacy risks. The information gathered from the data map can help you analyze the flow of information and if the new project will divert the flow.
Simulating a new information flow can help you visualize the most apparent threats to the data. For example, if a new storage and processing system is needed, you can quickly see whether any new security measures will be required.
The risk analysis will then be: “If security measures are left unchanged, what are the potential consequences?”
The privacy risk in terms of the DPIA, as discussed prior, are factors that could lead to violations of the rights and freedoms of the natural person.
If you think the implementation of new technology could threaten these rights and freedoms, you will need to mention them as part of the risk assessment.
A real-world example would be the recent explosion of the social media app Clubhouse. In brief, this new social media platform, based on voice-only interactions, allows individuals to join virtual rooms and chat about various topics; there are no posts, no texts, just people speaking with one another.
Under the GDPR, a technology of this scope would undoubtedly need to undergo a DPIA. The app collects a relatively novel form of PII, voice ID.
Without serious security architecture, a data leak of voice recordings could lead to a plethora of privacy infringements. Unfortunately, much like many new technologies and trends, security lags as the technology begins to scale.
However, this could have potentially dangerous implications for the natural persons’ privacy, leading to a financial and reputational loss to the organization if Clubhouse does not implement the proper security measures.
Of course, this is a simulated scenario, but there have already been occasions of bad actors breaching the Clubhouse infrastructure and streaming data subjects recordings to a third-party website.
4. Suggest Mitigation
After you have identified and categorized privacy risks ranging from low to high, it is time to document any steps to mitigate the risks.
If we use the example above, with Clubhouse, we can see a high risk that a PII leak will negatively impact the natural person’s rights and freedoms.
The DPIA should suggest steps to ensure that the data does not fall into the wrong hands.
One action for implementation is a security audit and an internal penetration test looking back at the breach example.
The penetration test opens up the possibility of bug discovery before any attackers find them, and with a security audit, external eyes add an extra layer of guidance.
Keep in mind that eliminating all bugs and vulnerabilities is exceptionally challenging, perhaps impossible. As a defender, it is essential to prioritize the vulnerabilities that pose the highest risk and leave those vulnerabilities that might not result in critical data theft.
Documenting this process is one thing, but you must also put it into practice. Keep yourself and your organization on the right side of the law.
5. Finalization and Documentation
Once you have aggregated all the information from the previous steps, it is time to put a “rubber stamp” on the DPIA. This final step involves the c-suite and upper management signing off on the DPIA.
These signatures ensure that all top-level decision-makers within the organization have acknowledged any risks and approve the required mitigation action.
Now would be a good time to discuss the security budget.
Undertaking new initiatives is the lifeblood of innovation, and businesses can’t thrive without it.
New projects in this day and age will often involve the adoption of new technologies. With new technologies come new horizons both in user experience and the security risks. Expanding your business should be your top priority; leave the security to us.
You shouldn’t be asking yourself, “Is a DPIA required under GDPR?” As a managed security service provider, RSI Security takes those compliance headaches away.
Get in contact today, and schedule a consultation here.