There are plenty of privacy impact report guidelines and frameworks drafted by several independent institutions, whether private, governmental, or educational. However, most are employed for internal use, and are not available to the public.
The GDPR does not help in this regard: there are no official PIA assessment templates available as of yet, but the regulators are expected to provide them by the end of 2017. However, a check-list has been published by the Article 29 Working Party. This is also an opportunity for you to develop your own DPIA template, as long as you have all the elements required under the GDPR.
In this article, we will outline the suggested elements a DPIA should have in order to be useful and demonstrate compliance. For mor detailed information on when to perform a DPIA and how, consult our in-depth guide here.
A DPIA worth its salt must contain the information on who performed it and for what purpose. The project, its scope and purpose must be described systematically and exhaustively. A practical description of processing operations that will be carried out is mandatory, as well as technical equipment on which it will take place. Do include all relevant contextual information. There is no such thing as excessive information when it comes to DPIAs.
Contrary to popular belief, even small-scale, low-budget projects may require a DPIA if they present serious risks to personal data. The DPIAs should be performed by your data protection officer, who should act independently, without pressure or influence from the management.
You should conduct a DPIA sufficiently early, before the processing operations start, if possible, so that it can exert practical influence on the project. A DPIA is of little use halfway during the project, as it is too late to enact changes by then.
2. Information Flows
Provide a useful ‘map’ of how data will flow during the processing operation. Outline shortly how and where such data will be collected and where it will be stored. Clearly mark who will have access to data and what the safeguards are.
Take care if you are storing your data on cloud services whose servers are outside of the EU – you might need special assurances for third-country data transfers. Write out all the recipients of personal data and the retention period for that data.
This is one of the most important parts of a DPIA. Here you must give your reasons for processing the data in the first place and base the processing on one of the legal conditions – usually legitimate interest or consent. Your processing is unlawful otherwise!
Remember to adhere to the principle of data minimisation. Only relevant data should be processed, and even then, as little as possible. Evaluate whether that is the case.
Evaluate whether the data subjects (individuals) are adequately informed of their rights. Consider whether you are capable of honouring their rights (to erasure, objection, restriction of processing, and rectification).
4. Risk Management
If you have found that your processing is indeed legal, you should then consider the potential risks arising from your processing. These risks are data loss, illegitimate access, and undesired modification, which can lead to adverse consequences such as public humiliation, economic losses, physical danger, etc.
Evaluate the risks for each of the three categories of risk mentioned above. You should also specify the potential consequences and impacts in case a data breach occurs. Identify the threats that could lead to such breaches (bad IT security, lacklustre organisational measures, etc.). Estimate the severity of such risks based on their likelihood of occurring and the potential impact thereof.
After you have identified the risks, you should work out the solutions for avoiding these risks, or at least mitigating them. This is the most important part of a DPIA and it is absolutely essential for demonstrating compliance. You can use various technical and organisational measures to reduce your risks. This is something a DPO must help you deal with effectively.
All residual risks should be listed as well.
A comprehensive DPIA will ask other stakeholders for their opinion. It is impossible to appreciate the risks from a single point of view; hence why a DPO should seek the opinion of other interested parties. These can be the general public, the employees, or any other groups potentially affected.
Such consultations can help you identify unforeseen risks and the stakeholders’ feedback can help you process data more effectively by implementing beneficial changes. Make sure to document the occurrence of consultations and the groups you have reached out to in your DPIA.
6. Legal Compliance
And finally, ensure that your processing is compliant with all the relevant laws. Yes, the GDPR is the primary thing you should be aware of, but bear in mind there can be other laws that can further limit your processing, even if it would otherwise be legal under the GDPR.
Most EU member states, for example, regulate workplace monitoring and surveillance within their own legal system – likewise with children’s data.
DPIA = Not a Checklist
Remember that satisfying the above criteria is not an assurance that the DPIA has been correctly performed – it can provide a veneer of compliance, though, but that would defeat the purpose of conducting a DPIA in the first place. It should not be a mere checklist questionnaire; the purpose is to evaluate the issues in-depth instead of simply ticking off boxes.
It is also important to remember what a DPIA is not – a DPIA is simply an analysis of the potential impacts. It cannot and does not regulate nor specify the implementation of risk-reducing measures. Regular auditing is used for this purpose, which will check whether the recommendations from the DPIA have been implemented.