Data Protection Impact Assessment (DPIA) is a way of ensuring and controlling compliance. Some sources call it a PIA (Privacy Impact Assessment), though it means much the same thing. It is used to assess the necessity of data processing, as well as to estimate the risks and freedoms of individuals (data subjects) whose data is being processed. A well-made DPIA is a good instrument of accountability, as it demonstrates precisely which measures are being taken and to what extent.
While the GDPR will require these assessments – which is a novelty compared to the Data Protection Directive – but, on the other hand, the organizations will no longer have to notify the supervisory authorities of all processing that is taking place.
DPIA is Not Required When…
It is easier to outline the cases where the DPIA is not required, as for most processing operations, such assessment needs to be performed. The DPIA is mostly not required in the cases where:
- processing is not “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)). This should be the main deciding factor when determining whether to make an assessment or not. When in doubt, always do.
- a similar kind of processing has already taken place, so the DPIA can be re-used
- where the processing has a legal basis in legislation stating that it does not have to be carried out and if it has been carried out prior to the establishment of such a basis
- when the processing is listed as optional on the supervisory authority list
For example, mailing lists used to send generic newsletters do not require a DPIA. Of course, unless the e-mails are personalized and if the users themselves signed up for the service. Even certain limited profiling may not require a DPIA, such as when analysing past purchases only on that site and then displaying potentially interesting ads for further items on the website.
If you feel the DPIA is not required, you should still make an assessment noting your rationale for not performing a full-scale DPIA.
When Is DPIA Required?
Conversely, DPIA is required whenever processing is likely to present a risk to the individual. The official recommendation of the Article 29 Working Party is that a DPIA be conducted whenever it is not clear if it is required, since such an assessment is a useful tool nonetheless.
Advice of the data protection officer should be sought in all cases when making an impact assessment regarding high-risk data. DPIA should be re-assessed at least every three years, even sooner if any circumstances have changed. Periodically review your processing activities; for some, the DPIA could have become required in the meantime due to changes in risk.
Existing operations started before May 2018 when the GDPR enters into force could also be subject to DPIA. Technically, only if significant changes occur, or if the time comes for an update. But it would still be a prudent thing to do right away.
What Constitutes High Risk?
Article 35(3) outlines areas for which a DPIA is particularly required. This includes automatic processing and profiling which evaluates the aspects of a person in a systematic and extensive way, if such processing results in decisions concerning the natural person that could have a significant legal impact on their lives.
Large-scale processing of sensitive personal data also requires the production of a DPIA. Article 9(1) lists personal data as data revealing “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”. If your company is processing such data, then a DPIA is mandatory.
Systematic large-scale monitoring of a publicly accessible area also requires a DPIA.
Note that this list is non-exhaustive. Similar high-risk activities could exist that would essentially necessitate a DPIA without being listed themselves. How should your company know what high risk data are? The Article 29 Working Party has created a set of criteria that can help you determine whether your data is high-risk, based on the Articles and recitals of the GDPR.
Criteria for High-Risk Data
The Article 29 Data Protection Working Party has published the following guidelines for assessing whether your data belongs to a high-risk group. The more criteria your data fits in, the more likely it is high-risk. Two or more criteria should be a clear sign that a DPIA is in order. Supervisory authorities themselves will have to compile a list of processing operations for which a DPIA is mandatory.
Screening someone’s personal data, including profiling and predicting one’s preferences based on it, is certainly high risk. This includes the individual’s performance at work, health and economic situation, behaviour and movement. Practical examples would include assessing one’s creditworthiness based on credit bureau data, or health plans based on one’s genetic tests.
2. Automated decision-making
This type of decision making concerns automated (computer) decisions that can have significant legal effects on an individual. Improper use may result in discrimination (not giving someone loans based on circumstantial demographic data, or displaying a different set of ads based on user’s spending habits, for example). Keep in mind that an individual has the right to manual processing; i.e. with human intervention, and has the right to appeal any decisions.
When monitoring or observing data subjects in a publicly accessible area (such as video surveillance or wi-fi tracking in front of a business establishment, like a shopping centre), a DPIA must be performed. This is because the individuals could not know that their data is being collected and by whom. Also, they might not even avoid such monitoring even if aware of it.
For example, if you monitor your employees’ activities, such as when they got to work and which websites they browse while at the office, a DPIA is mandatory.
4. Sensitive Data
A DPIA is mandatory when processing special categories of personal data, as outlined in the previous section. This would encompass, for example, medical records and financial data. However, even non-sensitive data can fall under this category if enough data would be captured to such an extent so as to be very intrusive, such as “cloud computing services for personal document management” and similar.
5. Matching Datasets
When data from two distinct processing operations is combined, usually from different data controllers, and used for various purposes not foreseen by the data subject, such processing is highly sensitive and requires a DPIA. Care must be taken to ensure whether such processing is allowable in the first place. Tracking across devices may fall in this category, as well as syncing usage data based on a cookie for an advertising ID.
6. Large-Scale Processing
Large-scale processing consists of processing a large amount of personal data at “regional, national or supranational level”. Such processing which could affect a large number of individuals or result in a high risk is considered large-scale.
To better understand whether your data processing activities qualify, analyse both the relative (as a percentage of the total population) and the absolute number of data subjects concerned. The sheer amount of data, the duration, the type of processing and the geographical extent also play a part. What constitutes large-scale has not been precisely defined, so if in doubt, perform a DPIA.
7. Vulnerable Subjects
When there is a “power imbalance” between the data subject and the data controller, a DPIA may be required. The power imbalance refers to the inability of the data subject to consent to the use of their data. Employees, elderly or patients are the most prominent examples of vulnerable subjects. Employees often cannot oppose processing (lest they lose their job).
8. New Technologies
The technology this pertains to the most is definitely biometrics, but includes other novel uses of technology for data processing such as the Internet of Things. Finger print and facial recognition are expressly listed, but the list is non-exhaustive. The rationale is that any new technologies may collect and use data in previously unseen ways, and data subjects may not be aware of that all. Data controllers could also struggle with adequately assessing risk, let alone measures to control it. The DPIA helps solve that problem. The Working Party document lists a motorway camera driving monitor with plate recognition as an example of a novel technology requiring a DPIA.
9. Cross-Border Transfer
This depends on the country the data is being transferred to; whether there are any adequacy decisions or derogations. Most likely, a DPIA will be required since it is the international law which is in force for such transfers, making them riskier.
10. Denial of Rights
In some cases, this is similar to point 1 of this list. It includes publicly unavoidable processing, as well as that which can prevent individuals from making a contract – see the bank loan example above.
How to Carry Out a DPIA
The DPIA should be carried out before the processing begins, in line with the philosophy of ‘data protection by design’. It should be as early as possible, even if some processing activities are still unknown. The DPIA can (and should) be updated afterwards. The Working Party stresses that “carrying out a DPIA is a continual process, not a one-time exercise’.
It is the controller’s obligation to carry out a DPIA. He may delegate the task to someone else, but the responsibility lies solely with the controller. If the organisation has appointed a DPO, they should be consulted for all matters regarding DPIAs, as they are also responsible for monitoring.
Consult All Interested Parties
A potential issue is the requirement of the GDPR that the data controllers should, where appropriate, consult the data subjects when carrying out a DPIA. This can be done via a survey, study or consultations. If the views of the data controller differ from those obtained from others, it should be noted in the DPIA. If you feel that consulting data subjects is not feasible (due to few means of reaching them or extraordinary costs, for example), you can opt not to seek their opinions, but you must provide reasons for doing so.
Depending on the complexity, your company might need help from independent advisors from various fields, especially if your operations are complex and large-scale. This is allowed under the GDPR and falls under the ‘consultation’ part from the previous paragraph. Both internal and external consultations can be performed.
DPIA can be rather exhaustive, and that is a plus point in most cases. While DPIA is not a public document and does not need to be published, it helps build public trust if a company decides to do so. Take care that while an exhaustive DPIA is good, any trade secrets or sensitive information you include are sent to the supervisory authority, and a public version does not need to be as exact.
Some supervisory authorities have already published their methodologies of producing the DPIA, for example Germany’s ULD or the UK’s ICO.
Obligatory Content of the DPIAs
DPIAs must contain at least the following:
- Description and purposes of processing
The scope of the project for which the DPIA is performed and its purposes must be exhaustively described. All relevant contextual information should be included. Provide a practical description of processing that will take place, and mention the technical equipment that will be used for processing.
- Assessment to ascertain whether such processing is even required
Give your rationale for processing and explain which legal basis you aim to base your processing upon.
- Assessment of potential risks to the data subjects
Evaluate the risk of data loss, illegitimate access and undesired modification, as these lead to real and damaging consequences to individuals.
- Measures taken to minimize the risk and ensure compliance with the GDPR
These guidelines are very broad and can be more specific, depending on the data processing activities. This will be addressed in conjunction with the local supervisory authorities, but it also means that it is easy to conduct a DPIA even for smaller companies.
Overall, it should not be too difficult to comply with the stipulations regarding the contents of the DPIA, as they largely overlap with existing quality assurance schemes (ISO 31000 for example). The Working Party Article 29 likens the DPIA to a risk management tool, since it by nature encompasses all the factors (nature, scope and purpose) for processing, contains risk assessments (how likely it is for data breaches to occur) and methods of treating such risks (ensuring that adequate safeguards are used at all times).
Regardless of the precise structure of the DPIA, it must be a genuine attempt to assess the risk and determine what measures the company should take to alleviate them. ENISA recommends the use of two axes for risk assessment. There are four levels of impact, ranging from low to very high. These consider the potential impact a breach would have, while the ‘threat occurrence probability‘ is self-explanatory. These two combined create a risk level value. A high level of probability of a data breach can elevate the risk level of low-impact data. For example, all high-impact data are high-risk, regardless of probability, while low-impact data are considered medium risk if the risk of data breaches is high.
High-risk data warrant more stringent security measures, such as organisational (access control and education) to technical (encryption, safe deletion, storage only on computers not connected to the Internet etc.). Always remember that the less data you have on hand, the lower your risks are. In fact, you are not allowed under the GDPR to keep more data than absolutely necessary for immediate processing in the first place.
Communication with the SA
The supervisory authority must be contacted if the residual risks, i.e. risks that are left even after performing all the reasonable measures, are still too high. For example, personal data stored on company servers can be managed with encryption, employee training, backups, access controls and finally, data destruction.
However, in some cases even such robust measures are not enough and the risk becomes unacceptable, and the company cannot do much more about it. This is especially true of sensitive data that might, to put it bluntly, ruin one’s life should a data breach occur.
Failure or incorrect performance of a DPIA (Data Protection Impact Assessment), or not consulting the appropriate supervisory authority when necessary, can result in penalties of up to EUR 10 million or 2 percent of a company’s global turnover for the preceding year, whichever is higher.
These fines are draconian and a proper management of impact assessments is certainly a more fruitful investment.
It pays to perform good and comprehensive DPIAs since they are an essential tool of proving compliance with the GDPR, but it also helps your company establish data protection measures that will ensure customer satisfaction and data security.
DPIA is a process, not a checklist, and so must be reviewed often. An organization must always keep track of its operations, and a DPIA can shed some light on certain risky situations when re-assessing the processing operations. Note that DPIAs do not regulate the implementation of risk-reduction measures; they merely specify them. Regular audits should be used to ensure that the recommendations are followed.
The GDPR has given companies and organisations a lot of leeway in producing their DPIAs, providing only broad and minimal guidelines. More detailed advice is sure to follow, but this is a good sign: even smaller companies without a legal department will be able to complete them. DPIAs could, eventually, become much less of a headache than they seem to be right now.