Conducting a data protection impact assessment (DPIA) or privacy impact assessment (PIA) is a complex and challenging task. Nevertheless, it’s critical to do. Data privacy concerns have become a significant focus across all industries, and for good reason: data is at higher risk than ever before. In its 2020 Q3 Data Breach QuickView Report, Risk Based Security revealed that 36 billion records were exposed during the first three quarters of 2020.
Regulatory bodies worldwide have worked to mitigate risk to personal data by establishing compliance regulations. In particular, conducting regular DPIAs is a key mandate of the General Data Protection Regulation (GDPR), the scope of which extends to all organizations that store or process the data of European Union (EU) residents. This article explains what these assessments entail and how to perform them.
What is a data protection impact assessment?
A data protection impact assessment is meant to identify, analyze and minimize the data protection risks of a project or plan. DPIAs are required by the GDPR’s “protection by design” principle.
What are the benefits of a DPIA?
The benefits of conducting DPIAs extend far beyond GDPR compliance. They include:
- Lower likelihood of data breach events
- Reduced risk failing to meet legal obligations
- Less risk of hefty expenses for data breach recovery, fines, lawsuits and lost business
- Easier compliance with other data protection regulations
How do I know if I should conduct a DPIA?
Organizations are required to conduct a DPIA anytime their data processing is likely to result in a high risk to the rights and freedoms of individuals. Article 35 of the GDPR law states:
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
Failure to carry out a DPIA when required by the official guidelines can result in legal enforcement actions, including steep fines from the European Data Protection Board.
Here are some types of processing activities that automatically require a DPIA, according to the GDPR:
- Conducting systematic personal evaluations of any individual
- Large-scale processing of sensitive data
- Large-scale systematic monitoring of public areas
When is a DPIA required?
The GDPR does not require organizations to conduct DPIAs for every processing operation that relates to privacy; GDPR outlines the following criteria to determine whether a DPIA is mandatory:
- Evaluation or scoring. Organizations must conduct DPIAs when profiling people, especially their performance at work, economic situation, health, personal preferences or interests, behavior, location, or movement. Examples include comparing credit scores, genetic testing to assess health risks, and behavioral-based marketing profiling.
- Automated decision-making. A DPIA is required when organizations enact processes that automate legal decision-making. Organizations must ensure that such processing doesn’t lead to exclusion of or discrimination against an individual.
- Systematic monitoring. Organizations must conduct DPIAs when observing, monitoring or controlling data subjects — including when they are in public areas. Examples include remote security monitoring, such as doorbell camera apps.
- Sensitive data handling. A DPIA is required any time an organization deals with highly personal data, such as a patient’s health data.
- Large-scale data processing. A DPIA is required when an organization carries out large-scale data processing. Criteria for determining whether data processing occurs on a large scale include the number of data subjects, duration and geographical extent of the activity.
- Matching or combining datasets. When an organization merges or compares two or more sets of data collected for different purposes, it must conduct a DPIA.
- Vulnerable data subjects. A DPIA is required when there is a power imbalance between data subjects and the data controller, since that could harm the data subject. This includes subjects who are unable to oppose the processing of their data, such as children, employees, and people who have mental illness or cognitive issues.
- Innovative use. New technology solutions can warrant Technologies such as fingerprint and facial recognition may be considered innovative uses of data. Internet of things (IoT) devices are another common technology affected by DPIA requirements.
- The transfer of data outside the EU. For example, if an organization expands its services to another country, it needs to conduct a DPIA and ensure that appropriate safeguards are in place.
- Handling applicant data. When an organization carries out processes that “prevent data subjects from exercising a right or using a service or contract,” the organization must conduct a DPIA. An example is a bank that performs a credit check as part of a loan application.
When is a DPIA not required?
Organizations are not required to conduct a DPIA under the following circumstances:
- Legal obligations — If you are processing data based on a legal obligation or on behalf of the public, you don’t have to conduct a DPIA. This exception applies only when data processing meets at least one of the following circumstances:
- The organization has a statutory basis for processing the data.
- A legal provision or statutory code regulates the processing operation.
- The organization is not subject to DPIA obligations as laid out in applicable legislation.
- A data protection risk assessment was conducted as part of the impact assessment when the GDPR was adopted in May of 2018.
- You’ve already conducted a similar DPIA— If you have completed a DPIA and can prove that the nature, scope, context, and purposes of the current situation are all similar, you may be exempt from a new DPIA.
When should a DPIA be conducted?
Organizations should incorporate DPIAs in new projects that involve personal data from the start and use it throughout planning and development. For instance, if an organization wants to develop an IoT app, it should consider DPIA obligations during the first stages of the planning process and through to completion.
What about processes that were in place before the GDPR took effect?
The DPIA requirement applies to processes that started on or after May 25, 2018, and to processes that started before that date and have changed in a way that affects compliance requirements.
Though an organization may technically be exempt from carrying out DPIAs, most compliance experts recommend conducting DPIAs even for operations that were already underway before the GDPR went into effect.
What steps should I take to perform a DPIA?
Step 1: Determine whether a DPIA is required.
Using the information above to determine whether a DPIA is required. Be sure to document the following aspects of the processing:
- Nature — What you plan to do with the data
- Scope — What data will be processed
- Context — Internal and external factors that could affect expectations or impact
- Purpose — Why the organization wants to process the data
Step 2: Identify who should be involved.
A DPIA should involve the person in charge of the project for which the assessment is required, as well as your Data Protection Officer (DPO). If you use a data processor, you may need to ask them for information and assistance as well. In some cases, organization may consult outside experts, including information security professionals, lawyers, technicians, security analysts and sociologists who have data privacy expertise.
Create a prioritized list of your assets and identify potential vulnerabilities. For example, if one of your assets is a server where you store client data, risks to that data could include natural disasters, hardware failures or malicious behaviors like hacking.
In your risk analysis, consider:
- Data whose loss or exposure would impact operations
- Key business processes that use or require those data assets
- Threats that could affect the organization’s ability to operate and the severity and likelihood of each threat
Step 4: Identify and evaluate data protection processes and tools.
Start developing and implementing appropriate software solutions and risk mitigation measures. Organizations must document which risks a specific solution will help mitigate and how.
Here are two examples of risks and potential solutions:
Risk: The organization retains PII longer than necessary.
Solution: An automated data retention workflow tool.
Problem: Unauthorized users might access the server and browse PII.
Solution: Increase security monitoring and testing of the server.
Step 5: Produce a final DPIA report.
DPIA records must include the following information:
- A detailed description of the project and its purpose
- An assessment of data processing needs and scope
- An assessment of data protection and consumer privacy risks
- An explanation of how the organization will mitigate risks and comply with GDPR guidelines
It’s best practice to publish DPIAs in full or in part, even if GDPR guidelines do not require it. This helps to foster trust in the your processing operations and demonstrates accountability and transparency to all stakeholders. Be sure to get approval from the parties involved in the DPIA, such as your Data Protection Officer or members of the management team. You’ll also need to obtain sign-off from supervisory authorities, such as the Data Protection Commission.
If this is your first DPIA, check out the helpful Netwrix blog post, “How to Jump-Start GDPR Risk Analysis.”
How can Netwrix help?
Netwrix solutions help organizations with multiple areas of GDPR compliance, including:
- IT risk assessment — Identify and prioritize security risks to avoid costly security breaches.
- Data classification — Tag GDPR-regulated data across on-premises and cloud environments so you can protect it as required.
- Data access governance — Strictly control access to regulated data.
- Behavior analysis and threat detection — Spot suspicious user activity before it leads to a breach or other compliance violation.
- Data subject access request (DSAR) tool — Quickly and efficiently satisfy GDPR provisions about the rights of data subjects.
1. Are DPIAs mandatory?
Article 35 of the GDPR requires a DPIA whenever you conduct processes likely to increase risk to individual rights or freedoms. The DPIA requirement applies to processes that started on or after May 25, 2018, and to processes that started before that date and have changed in a way that affects compliance requirements.
2. Are there any exceptions?
A DPIA might not be required if you are processing data based on a legal obligation or on behalf of the public, or if you conducted a similar DPIA already.
3. Who is responsible for performing DPIAs?
A DPIA should involve your Data Protection Officer, if you have one, as well as the person heading the project that triggered the DPIA and any relevant data processors.
4. When should DPIAs be conducted?
Organizations should incorporate DPIAs from the start in any new project and conduct them throughout the planning and development process.
5. What should a DPIA contain?
ICO describes what to include in a DPIA assessment. Be sure to document the following factors about the data processing:
- Nature — What you plan to do with the data
- Scope — What the processing covers
- Context — The bigger picture, such as internal and external factors that could affect expectations or impact
- Purpose — The reason your organization wants to process personal data