Article 35 of the EU General Data Protection Regulation (GDPR) describes the requirement for organizations to “carry out an assessment of the impact of the envisaged processing operations on the protection of personal data”. This process referred to as a Data Protection Impact Assessment (DPIA), is an integral component of the GDPR, and if not carried out when required, can leave an organization open to enforcement action such as potentially steep fines.
In this blog post, we will take a deep dive into Data Protection Impact Assessments, going over what they are, when you need one, and how to conduct one.
In short, a DPIA is a process geared towards identifying and minimizing risks associated with the processing of personal data. Risks to personal data may include anything from unauthorized access by internal or external actors to not handling personal data in accordance with the wishes of the individual. This assessment must be done when a type of processing activity is likely to result in a high risk to the rights and freedoms of an individual.
This is not a one-time assessment, and should rather be performed any time there is a “change of the risk represented by processing operations” or to be more precautious, any time a new project which involves the processing of personal data is kicked off regardless of any indication of high risk. In addition, this exercise should not only include the assessment of risks but should also be accompanied by a list of measures the organization will take to address any of the risks identified.
A DPIA is not required to be carried out prior to any new processing activity, but instead for activities that may present a high risk to the “rights and freedoms of natural persons”. While the definition of high risk is not quite defined, Article 35 gives some examples of specific scenarios where a DPIA is required:
European guidelines provide nine criteria that should be considered when determining whether a certain activity poses high risk.
In any case of uncertainty, it is recommended that an assessment is carried out as it can be a useful tool to help organizations maintain compliance.
The GDPR articulates the minimum features of the DPIA as:
In order to meet these requirements, organizations will need to work closely with their Data Protection Officer and any other key stakeholders involved in the project through the course of the assessment. A DPIA should begin in the initial stages of a project before any data processing activities begin. The GDPR allows for a certain level of flexibility in determining the process and orchestration of the DPIA in order to best accommodate an organization’s current practices and sector or business-specific requirements. The general approach for carrying out a DPI is described below:
Leverage the guidelines described above to determine whether a DPIA is required. If there is any doubt, it is still a good idea to perform the assessment to ensure compliance is maintained.
The first step here is to describe and document how data is being processed throughout the project and what the scope of the data is by answering questions such as
The next step is to describe the purpose of the data processing activities as it relates to the objectives of the project. Specifically, describe each data processing activity, how it will impact the consumer, and how it will be leveraged for the project.
An important aspect of the DPIA is justifying the data processing activities that are occurring in correlation with what is actually required for the objectives and outcomes of the project. Start by answering questions similar to those listed below
There are several key parties that should be consulted throughout the course of the DPIA. This includes
This is possibly the most important component of the DPIA where any risks to personal data are thoroughly evaluated. While predicting every avenue of risk is dependent on the nature of the project, the following key aspects should be evaluated.
Once an organization has a good idea of the potential risks involved in the project, it is essential for them to start strategically formulating and implementing the necessary security measures that will aim to address or reduce risk as much as possible. This section may involve a variety of cybersecurity platforms to help achieve and ensure the following
Once all risks have been identified and the appropriate security strategy has been devised, these points must be documented in order to receive the necessary sign off by the relevant parties which will be dependent on the organization and specific project. Relevant parties may include the Data Protection Officer or members of the management team.
As previously noted, this assessment should not be considered a one-time exercise, with risks to personal data being considered at every step of any new or ongoing project.
Data Privacy Impact Assessments are a meaningful tool for data controllers to leverage in order to ensure new projects that involve processing personal data comply with the GDPR. While the regulation sets forth a generic set of requirements, the criteria set forth in this blog post are customizable to the unique nature of an organization and its data processing activities.
Stealthbits can help to automate several discovery and remediation components required for any DPIA by providing the ability to
Provide bulk remediation capabilities such as the ability to lock down access to sensitive data or remove data that has exceeded its retention policies
Start a Free Stealthbits Trial!
No risk. No obligation.