What is a Data Protection Impact Assessment (DPIA)?

Article 35 of the EU General Data Protection Regulation (GDPR) describes the requirement for organizations to “carry out an assessment of the impact of the envisaged processing operations on the protection of personal data”. This process referred to as a Data Protection Impact Assessment (DPIA), is an integral component of the GDPR, and if not carried out when required, can leave an organization open to enforcement action such as potentially steep fines.   

In this blog post, we will take a deep dive into Data Protection Impact Assessments, going over what they are, when you need one, and how to conduct one.   

What is a Data Protection Impact Assessment?

In short, a DPIA is a process geared towards identifying and minimizing risks associated with the processing of personal data. Risks to personal data may include anything from unauthorized access by internal or external actors to not handling personal data in accordance with the wishes of the individual. This assessment must be done when a type of processing activity is likely to result in a high risk to the rights and freedoms of an individual.  

This is not a one-time assessment, and should rather be performed any time there is a “change of the risk represented by processing operations” or to be more precautious, any time a new project which involves the processing of personal data is kicked off regardless of any indication of high risk. In addition, this exercise should not only include the assessment of risks but should also be accompanied by a list of measures the organization will take to address any of the risks identified.

When Do You Need a DPIA?

A DPIA is not required to be carried out prior to any new processing activity, but instead for activities that may present a high risk to the “rights and freedoms of natural persons”. While the definition of high risk is not quite defined, Article 35 gives some examples of specific scenarios where a DPIA is required:

• A systematic and extensive evaluation of personal aspects relating to natural persons which are based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
• Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offenses referred to in Article 10; or
• A systematic monitoring of a publicly accessible area on a large scale.

European guidelines provide nine criteria that should be considered when determining whether a certain activity poses high risk.

• Evaluation or scoring of individuals
• Automated-decision making with significant effect
• Systematic monitoring used to observe, monitor, or control data subjects
• Sensitive or personal data as defined in Article 9 of the GDPR
• Data processed on a large scale whether that be based on the number of data subjects, the volume or range of data, the duration or permanence of the data, or the geographical extent of the processing activity
• Matching or combining datasets in a way that would exceed the expectations of an individual
• Data concerning vulnerable data subjects including children, employees, or segments of the population requiring special protections
• Innovative use or applying new technological or organizational solutions where the personal and social consequences may be unknown
• When the processing prevents data subjects from exercising a right or using a service or a contract

In any case of uncertainty, it is recommended that an assessment is carried out as it can be a useful tool to help organizations maintain compliance.

How to conduct a DPIA

The GDPR articulates the minimum features of the DPIA as:

• A description of the processing operations and the purposes of the processing    
• An assessment of the necessity and proportionality of the processing operations
• An assessment of the risks to the rights and freedoms of data subjects
• The measures that will be taken to address the risks in order to protect personal data and demonstrate compliance

In order to meet these requirements, organizations will need to work closely with their Data Protection Officer and any other key stakeholders involved in the project through the course of the assessment. A DPIA should begin in the initial stages of a project before any data processing activities begin. The GDPR allows for a certain level of flexibility in determining the process and orchestration of the DPIA in order to best accommodate an organization’s current practices and sector or business-specific requirements.  The general approach for carrying out a DPI is described below:

1. Identify the need for a DPIA

Leverage the guidelines described above to determine whether a DPIA is required. If there is any doubt, it is still a good idea to perform the assessment to ensure compliance is maintained. 

2. Describe processing operations and purposes of processing

The first step here is to describe and document how data is being processed throughout the project and what the scope of the data is by answering questions such as

• How is data being collected and used?
• Where and how is data being stored?
• Where is data being collected from?
• Is this data being stored with any third parties?
• Are there any high-risk data categories involved?
• How much data is being collected and how many data subjects are impacted?
• Where are data processing activities taking place?
• What are the data retention requirements?

The next step is to describe the purpose of the data processing activities as it relates to the objectives of the project. Specifically, describe each data processing activity, how it will impact the consumer, and how it will be leveraged for the project.

3. Assess necessity and proportionality

An important aspect of the DPIA is justifying the data processing activities that are occurring in correlation with what is actually required for the objectives and outcomes of the project. Start by answering questions similar to those listed below

• Is there a legal basis for collecting this data?
• Are appropriate consent measures in place?
• Are vulnerable data subjects involved?
• Have previous projects of similar nature performed similar processing? Have security flaws been identified in these?
• Is data processing necessary to achieve the objectives of the project
• How are consumer rights being upheld?
• Are there ways to minimize the use of consumer data?

4. Consult interested parties (DPO, Stakeholders, Data Subjects)

There are several key parties that should be consulted throughout the course of the DPIA. This includes

• The Data Protection Officer who should provide feedback and advice on processing activities and potential risks of the project
• Any stakeholders in the project in order to fully understand the extent and necessity of data processing activities, and devise and suggest appropriate strategies to address any risks identified
• All Data Subjects or their representatives in order to gain feedback on their views of the processing activities of their data taking place during the project, and ensure processing activities have a legal basis.

5. Identify and evaluate risks to personal data.

This is possibly the most important component of the DPIA where any risks to personal data are thoroughly evaluated. While predicting every avenue of risk is dependent on the nature of the project, the following key aspects should be evaluated.

• Is data being stored in unsafe locations?
• Are the appropriate access control lists being applied?
• Is any software being leveraged secure from an internal or external threat?
• Is data being anonymized where applicable?
• Are data retention policies being considered?
• Is there a potential for the data to be moved to unsanctioned locations?
• Could the scope of the data processing change throughout the course of the project?

6. Identify and implement measures to address risks

Once an organization has a good idea of the potential risks involved in the project, it is essential for them to start strategically formulating and implementing the necessary security measures that will aim to address or reduce risk as much as possible. This section may involve a variety of cybersecurity platforms to help achieve and ensure the following

• The necessary security measures are in place to prevent unauthorized access to personal data, including access from internal or external actors
• Data retention policies are in place with the appropriate processes outlined to remove data that is no longer required
• Discovery and monitoring technologies are put in place in order to maintain visibility over personal data to understand where it exists, who is accessing it, how it is being used, and how it is moving throughout the organization
• Remediation action can be automated and taken at scale where applicable such as removing unnecessary data, cleaning up access, or classifying data.

7. Receive Sign off and document operations and measures

Once all risks have been identified and the appropriate security strategy has been devised, these points must be documented in order to receive the necessary sign off by the relevant parties which will be dependent on the organization and specific project. Relevant parties may include the Data Protection Officer or members of the management team.  

8. Monitor and Review

As previously noted, this assessment should not be considered a one-time exercise, with risks to personal data being considered at every step of any new or ongoing project.

Conclusion

Data Privacy Impact Assessments are a meaningful tool for data controllers to leverage in order to ensure new projects that involve processing personal data comply with the GDPR. While the regulation sets forth a generic set of requirements, the criteria set forth in this blog post are customizable to the unique nature of an organization and its data processing activities.

Stealthbits can help to automate several discovery and remediation components required for any DPIA by providing the ability to

• Discover and maintain visibility over the repositories that contain personal data
• Ensure that the proper data controls are in place by providing an understanding of who has access to what, and how they are leveraging that access
• Monitor for real-time threats and deploy policies to prevent unauthorized access to critical or sensitive information

Provide bulk remediation capabilities such as the ability to lock down access to sensitive data or remove data that has exceeded its retention policies