Basic guidance on DPIAs
A DPIA (Data Protection Impact Assessment) is a process to assess and identify risks when processing personal data. It is an important part of complying with the personal data regulation GDPR, and it is mandatory to carry out a DPIA when there is a high risk of a personal data breach.
A Data Protection Impact Assessment (DPIA) identifies and minimizes data protection risks related to a specific data processing activity. Art. 35 of the GDPR requires a data protection impact assessment (DPIA) be performed:
“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.”
Let’s take a closer look at when you must perform a DPIA, what the benefits are, how to do it, and what can make it easier.
Do you need a DPIA?
Is a DPIA required? Consider:
- Whether the data will be processed using “new technology”. This refers to very new, innovative technologies that are new to the world at large, with unknown personal and social consequences -not technologies that happen to be new to your company.
- Whether the nature, scope, context or purpose of processing or the type data being collected is likely to result in a high risk to the data subjects.
Article 35 (3) specifically mandates a DPIA if you plan:
- Systematic and extensive evaluation of person’s data based on automated processing, including profiling, and on which decisions are based that produce legal effects or similarly significantly affect the person.
- Processing on a large scale of special categories of data, including sensitive personal data and financial data, or data relating to criminal convictions and offences.
- Systematically monitor publicly accessible places on a large scale.
Examples of processes that you must prepare a DPIA for:
- Automated decision making for credit checks, mortgage applications, etc.
- Tracking people’s location, browsing history, health monitoring, etc.
- Processing biometric data, including face, iris, or fingerprint recognition, etc.
- Invisible processing, including list brokering, direct marketing, online tracking, etc.
- Data matching for fraud prevention and direct marketing, etc.
- Large-scale processing of personal data, even if the data is not classified as sensitive
- Collecting the data of minors or vulnerable populations
- Handling any data that could cause someone physical harm if exposed
- Collecting data with smart technologies including wearables fitness devices, market research involving neuro-measurement, etc.
If you are not sure if you should do a DPIA, remember that it is good practice to do a DPIA for any other major project that involves collecting and processing personal data.
Preparing DPIAs can help you improve your company’s privacy strategy and demonstrate compliance with regulations in case of audit. It can also bring financial benefits and increase your brand value by showing accountability and building trust and engagement with customers.
The process for preparing a DPIA
A DPIA should:
- Describe a new data processing activity or project
- Explain why the project is necessary
- Plan to mitigate and manage risks associated with the project
The DPIA be done in consultation with your Data Protection Officer (DPO) if you have one, and it should answer the following questions:
- What is the new data processing activity?
- Why is it needed?
- How will data be collected and stored?
- Whose data will be collected?
- Will this include data about minors?
- What types of data will be collected?
- How much data will be collected?
- How long will data be kept?
- How will the data be protected?
- What are the risks involved?
- How severe is each risk?
- What is the likelihood of this activity causing harm?
- What is the risk level overall of this activity?
- What do you plan to do to mitigate these risks?
We recommend regular DPIAs as part of your data privacy strategy. Keep it simple, and it will be easier to do regularly.
Download a free template for DPIA here
It takes time to perform a DPIA correctly. The process requires a thorough analysis of the processing of personal data in question and its potential risks. In addition, you must involve relevant stakeholders, such as data owners, data controllers, data processors and employees. The process requires time for documentation and reporting of the results of the DPIA. To help you on your way, we have prepared a free DPIA template that you can download here: