How to perform a data protection impact assessment

One of the more confusing topics introduced in the European Union’s General Data Protection Regulation (GDPR) is Article 35’s Data Protection Impact Assessment (DPIA).

It’s best to think of the DPIA as a targeted risk assessment of the processing operations’ legitimacy and safeguards. At a minimum, it should:

  1. Compare the planned processing operations to the legitimate business interests of the data controller, e.g., your company
  2. Consider the necessity and proportionality of the processing to intended purposes
  3. Assess the risks to the “rights and freedoms” of the data subjects (a term used to describe the individuals in scope of the GDPR)
  4. Assess the administrative and technical safeguards implemented to protect personal data.

The intent is to identify, minimize, and monitor the data protection risks inherent in data processing. A DPIA is mandatory for certain types of processing, including any new technologies. Other prompts include, but are not limited to, systematic or automated decision-making, and the processing of any data included in Article 9 special categories, such as large-scale criminal offense data and minors’ data, without a privacy notice directly to the individual.

The GDPR articles are supported by explanatory working papers. Working Paper 29 (WP29) requires a modicum of documentation even when a full DPIA is not required. This “threshold assessment” should be documented and performed regardless whether a full DPIA is conducted. The determination and any result of that assessment must be documented as justification for not performing a full DPIA of an existing system.

Common Triggers

The two most common processing areas to require mandatory DPIAs are New Technologies and processing without a direct privacy notice. A new technology is considered to be any system deployed after the May 25, 2018 effective date. This concept aligns with another critical requirement of the GDPR, Privacy-By-Design. If a system is implemented after the GDPR becomes effective, the DPIA will drive its architecture to ensure data protections are considered from the design stage and throughout its lifecycle.’

Privacy notices are a critical determinant to conducting a DPIA. The GDPR creates privacy rights in individuals analogous to civil rights they already possess under their member countries’ Constitutions. A general theme of privacy rights is best summarized in a previously overlooked and now recently relevant quote from Steve Jobs in 2010: “Privacy means people know what they’re signing up for, in plain English, and repeatedly.” This is a clear expression of the GDPR’s notice requirements, except that notice may also be required in the data subject’s native language, since the GDPR’s standard is “transparent, intelligible, and written in clear and plain language.” This means that every individual should give informed consent to the specific, intended use of the data they provide.

Existing Systems

Once a system is deployed, the DPIA becomes a regularly recurring process to ensure the individual’s rights and freedoms are continually protected. Potential triggers for a reevaluation include new vulnerabilities, change in technologies, shift in processing context, or a change in data subject. Since these are almost always in flux, the DPIA itself should identify its recurrence period.

The Impact Assessment

The DPIA may be conducted internally or by an external party, but one of the few explicit responsibilities of the Data Privacy Officer (DPO) is to advise on the DPIA and monitor its performance. The DPIA is focused on privacy and the rights of the data subjects; it is not focused on the information security of the organization. The actual assessment may leverage any myriad of methodologies, but common criteria should be used. If the result of any DPIA is a high risk to a data subject, then the supervisory authority must be consulted before processing any data.

How to Prepare

The circumstances, requirements, and specifics of conducting a DPIA are complex. The next step for any organization with possible E.U. subject data is to identify how the GDPR will impact them, and conduct a threshold assessment. That determination should lead the organization in determining its additional GDPR obligations and drive any further required action. It is prudent to seek outside counsel when in doubt. Furthermore, establishing or administering information security and data privacy assessments through legal counsel may provide the defense of legal privilege if litigation is ever required.

Written by Michael Witt

This article was originally published on UpCounsel