What is it and when do you need it
This article aims to look at the Data Protection Impact Assessment that is mandated as part of GDPR. It is meant to show through examples the complexity of such data protection laws and how operationalization of data governance is key, as is having a framework to tie all data management policies, standards, and regulations.
Identifying risks early can help you earn your customers' trust and ensure compliance with the Data Protection General Regulation (or GDPR) requirements.
In this article, we will review
"Data Protection Impact Assessment" (DPIA) under GDPR and;
How to implement it.
What Is The "Risk-Based Approach" Under GDPR?
Each personal data has a different sensitivity level, and each data processing activity creates varying degrees of risk for individuals.
Unauthorized disclosure of sensitive medical records and accidental erasure of encrypted home addresses does not create the same level of data privacy risks.
To strike a fair balance between data subjects' rights and obligations, Data Protection General Regulation (GDPR) adopts a risk-based approach: Depending on the risk, data controllers are subject to different compliance obligations.
GDPR article 35 is the perfect example of this approach: Depending on the degree of risk to data subjects' rights and freedoms, data controllers may have to conduct an impact assessment before processing data.
What Is Data Protection Impact Assessment Under General Data Protection Regulation?
The heightened risk to individual rights and freedoms does not have to prevent great projects or breakthrough technologies from moving forward.
Assume a neighborhood with excellent transportation access and a young, vibrant population, but it is underdeveloped due to high crime rates. However, implementing a CCTV camera system with facial recognition technology can reduce crime rates, leading to prosperity.
While there are immense benefits to be reaped, monitoring public areas on a mass scale comes with a high legal risk to rights and freedoms. Is it possible to find a solution to go forward with this project? Can you implement your solution while also complying with laws?
The type of problem GDPR's 'Data Protection Impact Assessment' addresses is precisely that. It requires producing a prior impact assessment to identify risks to individual rights and take appropriate measures:
GDPR article 35 distinguishes between different degrees of risk and only subjects high-risk processing activities to DPIA requirement. Moreover, you must conduct a DPIA before starting the processing of personal data.
Another element worth noting is that 'rights and freedoms of natural persons' are interpreted broadly. They are not limited to privacy rights because they also include fundamental rights such as freedom of movement, the right to non-discrimination, and any social or economic disadvantage.
Is a DPIA Mandatory Under GDPR?
While privacy impact assessments were already common practice, the General Data Protection Regulation turned this practice into a legal obligation on organizations.
GDPR refers to two groups of processing activities that automatically oblige you to carry out DPIA. In other words, you must conduct DPIA for such processing activities, even without doing any risk analysis.
These two groups are as follows.
(1) Data processing activities specified by GDPR
GDPR 35(3) lists three types of processing activities which mandates conducting a DPIA.
a systematic and extensive evaluation of personal aspects relating to natural persons which are based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offenses referred to in Article 10; or
systematic monitoring of a publicly accessible area on a large scale.
If your processing activities fall under these definitions, then you must carry out a DPIA.
(2) Data processing activities are determined to be subject to DPIA by Supervisory Authorities
National Data Protection Authorities can publish a list of data processing activities that may or may not require a Data Protection Impact Assessment under article 35(4) and 35(5) GDPR.
As with other data processing activities that automatically require DPIA, processing activities included in those two lists are also subject to mandatory DPIA.
In some jurisdictions, processing activities involve 'use of new technologies such as A.I.' and 'automated decision-making.'
The majority of E.U. countries' authorities such as the UK, Germany, and France have already published lists of activities for mandatory DPIA. The U.K.'s Authority ICO, for instance, published ten types of processing activities. ICO's list involves 'use of new technologies such as A.I.' and 'automated decision-making' to deny access to products or services such as education or banking services.
The French Authority CNIL, likewise, determined 14 types of processing activities which mandate producing a DPIA. Two of these are:
Processing of genetic data by vulnerable data subjects such as children and patients and;
processing for monitoring of employees.
Can Other Types Of Processing Still Necessitate a DPIA?
Suppose a processing activity is not included in either GDPR's list or the lists published by National Authorities. In that case, it is at your discretion to decide whether or not you will produce a DPIA. You will choose based on your high-level screening of processing activities.
Conducting a DPIA can contribute to your compliance efforts even when it is not required. If you have any suspicion about the risks, DPIA is a recommended practice to comply with GDPR.
How To Implement DPIA?
While General Data Protection Regulation (GDPR) article 35 does not prescribe a step-by-step procedure in how to conduct a DPIA, it requires you to at least include the following elements:
Systematic description of your planned data processing activities and purposes thereof;
Assessment on whether your chosen processing operation is necessary and proportionate for your purposes;
Evaluation of the risks to the rights and freedoms of data subjects;
The measures and safeguards you will implement to mitigate or eliminate the identified risks.
This minimum content requirement guides you. Since you are spending time reading here, we want to reward you with such a procedure.
The following is a seven-step template to conduct DPIA as provided by U.K. Data Protection Authority.
Step 1: Identify the need for a DPIA
If doing a DPIA is mandatory under GDPR or national authorities' lists, you can skip this step. If it is not mandatory, you need to set up a high-level screening procedure to decide if personal data processing involves a high risk to rights and freedoms and conduct the DPIA. For example, you can flag any processing activity involving children's data as high-risk.
Step 2: Describe the processing.
You must describe the scope, context, and purposes of your data processing activity in detail. You should provide a detailed journey of how data will flow through your organization, such as how and from what sources it will be collected, where it will be stored, and who will access it.
Having a clear plan for the collection and use of data is crucial to detecting security vulnerabilities.
It will also help you collect, store, use, and share personal data in compliance with GDPR. If you are collecting sensitive personal data such as genetic data from a University, for instance, you may rely on 'research purposes' to collect and store this data. You will also inform the data subject within a certain period under article 14 GDPR.
This step provides you a comprehensive description of your data inventory and how you will use it. Based on this, you can ensure compliance with GDPR requirements.
Furthermore, you should also specify the purpose of each data processing activity within the DPIA. Documenting this will also help you comply with other GDPR requirements, such as lawful personal data processing. One of the legal bases is legitimate interests, and you must refer to your purposes and your interest when you rely on legitimate interests. You will have documented proof of your intent for processing data and achieve compliance.
Step 3: Consider consultation.
Consulting all stakeholders such as lawyers, your data processors (cloud providers, etc.), and your I.T. team and taking their input is advisable.
Step 4: Assess the necessity and proportionality.
Your plan may not be the most practical or privacy-friendly for your purposes. What if you can achieve the same goal, such as identity verification, without storing sensitive data like voice print? What if anonymizing personal data still allows you to achieve the same goal?
This assessment will reduce your exposure to non-compliance risk.
Step 5: Identify and assess risks
You should take the concept of 'risk to rights and freedoms of individuals' broadly and not just limit it to privacy rights. Any material, physical or emotional harm should be of concern to you. These will include but are not limited to:
Reputational damage,
financial loss,
a threat to freedom of movement,
discrimination based on race, religion, or ethnicity,
refusal of access to services such as education or loan.
In your risk analysis, you should calculate two factors: The likelihood and the severity of the risk. Access to unencrypted sensitive health records by hackers poses more risk than the loss of your customers' outdated home addresses.
Every risk is unique and carries a different degree of impact or importance. Hence, it would be best if you treated each accordingly.
Step 6: Identify measures to mitigate the risks
Every data processing operation comes with inevitable risk, and eliminating risk 100% may not even be technically possible. However, you can implement data security measures, use advanced technologies, and apply new organizational measures to mitigate risk to a great extent.
Your measures should be appropriate and proportionate to the risk you identified. These measures include:
Not collecting excessive data;
deleting unnecessary data;
implementing more robust security measures such as two-factor authentication;
anonymizing or pseudonymizing data as much as possible to reduce the harm of a breach.
Step 7: Sign off and record outcomes
After completing your DPIA, you should document your findings and your future action plan.
What comes next? DPIA is a tool to help you identify risks and act accordingly. Therefore, you must put your plans to reduce risks into action to comply with the law.
Best Tips To Do DPIA Successfully
Have internal policies and procedures for DPIA
DPIA is a challenging process that starts with determining whether you need to do one. You need to specify a mechanism for when required and who is authorized to decide in your organization.
Stay updated with new technologies.
Malicious parties always concoct new ways to infiltrate I.T. systems to access data. You must be aware of current developments in technology and data security fields to stay ahead. For instance, if there is a more robust machine learning method like 'differential privacy' to reduce the severity of a breach or unauthorized access, you may consider implementing it.
Navigate across different jurisdictions and legal systems.
While GDPR applies across the whole E.U., national authorities still have discretion in certain areas. One example is that Union authorities automatically publish lists of activities requiring DPIA automatically, and every country has an additional list.
In France, for instance, the processing of personal data for social care automatically mandates a DPIA. On the contrary, this is not mandatory in the U.K. Considering the divergent approaches to DPIA, setting up separate and adjusted policies for each country is highly recommended for compliance with GPDR.
CONCLUSION
DPIA is not an extra burden on your business but rather a facilitator to identify and eliminate personal data risks. Recognizing DPIA as a dynamic process and implementing robust internal policies which are also operationalized is of particular importance.