Even though it may not seem like it, the purpose of laws like the EU GDPR (General Data Protection Regulation) isn’t just for the EU to gain additional revenue through fines and penalties. They exist to protect individuals’ rights.
Businesses eager to avoid those fines and penalties and do the right thing for their audience will be quick to meet the obligations laid out in the GDPR. Some activities are a no-brainer, like asking for consent or providing notice. But no matter how well-defined a law is, certain activities will fall in a grey area.
That’s where DPIAs (data protection impact assessments) come in. They help businesses evaluate their activities to ensure that they don’t impinge on individuals' data privacy rights. Furthermore, they serve as an audit trail showing that businesses have done their due diligence should a data protection authority investigate.
Organizations may be used to the GDPR by now, but the DPIA requirement can still be somewhat opaque. That’s not to mention the other global privacy laws, like the U.S. state privacy laws, that are requiring assessments similar to DPIAs. In this blog, we’ll clear up some of the confusion and break down the essentials of DPIAs.
What Is a Data Protection Impact Assessment (DPIA)?
A data protection impact assessment (DPIA) is a risk assessment audit designed to assist organizations in identifying, analyzing, and minimizing the privacy risks that come with collecting, processing, using, storing, and sharing user data. It’s one of the key components required to comply with the GDPR.
The verbiage used in the GDPR is legal, technical, and a bit vague at times. According to GDPR, DPIAs are mandated for processing that poses a high risk to a person’s rights and freedoms or for certain large-scale processing of personal data. Guidance from data protection authorities (DPAs) states that you should conduct a DPIA for processing that is likely to result in a high risk to individuals. It is also considered to be good practice to conduct a DPIA for any other major project that requires the processing of personal data.
But what constitutes “high risk”? How big is “large scale”? And what types of businesses are most at risk?
Who Should Implement a DPIA?
Unfortunately, there is no clear definition for “large scale” or “high risk” set out in the GDPR. But there are steep consequences for non-compliance, so companies need to know if they are required to perform a DPIA.
Regulating authorities in member states such as Estonia, Greece, and the Czech Republic issued their own interpretive guidance to help make sense of the terminology. The head supervising authority in Estonia came out and said that the GDPR guidelines are too broad and that they would assume that data processing was “large scale” if it involved processing:
- 5,000 data subjects’ “special category” information (e.g., racial or ethnic information, political opinions, health data, and other sensitive types of data)
- 5,000 data subjects’ criminal conviction information
- 10,000 data subjects’ high-risk data
- 50,000 data subjects’ other information
Estonia’s supervising authority also provided guidance on the definition of “high risk.” They called out services such as online banking, credit card data, e-signatures, data protected by communication secrecy, geolocation information, profiling with legal consequence, and even data about an individual’s financial status.
The UK’s Information Commissioner’s Office (ICO) guidance states that it’s not necessary to know whether the processing is “actually high risk or likely to result in harm” because that’s the job of the DPIA to assess. ICO, instead, recommends you ask yourself this question: Are there any features that point to the potential for high risk? In this instance, according to the DPA, you’re looking for red flags rather than specific parameters.
Some of these red flags include:
- Using novel technologies and applications such as artificial intelligence and machine learning
- Profiling and automated decision-making regarding an individual’s access to products, services, and other benefits
- Systematic monitoring
- Widespread use of biometrics
- Routine collecting or processing of sensitive personal information
- Collecting or processing the personal information of children
If any of these points apply to your organization, you need to know when to conduct a DPIA to maintain compliance with data privacy laws.
Review all things to consider for a Data Protection Impact Assessment: Download the DPIA Checklist
When to Conduct a DPIA?
So now you know whether or not your organization must implement DPIA. But in order to maintain GDPR compliance, you have to complete them at the right time. DPIAs aren’t meant to be an afterthought; they’re an integral part of keeping your customers’ information private and protected.
One of the key aspects of the GDPR legislation is the principle of “privacy by design.” This means that technical and organizational measures to protect consumer data should be built into the business applications and processes that will handle that data. As a means of achieving privacy by design, data protection authorities recommend performing DPIAs to reveal risks and assess and demonstrate how an organization is protecting consumer data.
To achieve this, a DPIA is recommended anytime a company is creating a new product or feature that will collect or process personal information in a new or different way. Conducting a DPIA first in this way enables privacy by design — before an organization can build a new product or feature, DPIAs ensure that the privacy needs are considered first, rather than bolted on afterward.
That’s why a DPIA should be performed before the processing takes place and should become a part of business workflows in cases such as profiling, systematic monitoring of public areas or people, and processing data on a large scale. It is a crucial tool that must be deployed prior to the processing event. The findings in the assessment should then be used to consider and implement protections to mitigate the impact on an individual's privacy.
Here are some examples of events that will require a DPIA before processing begins:
- A bus system implementing onboard cameras to monitor passengers and drivers
- An HR department planning to use a new system to process employee records
- A corporation using biometric data for access control
- A crypto wallet application collecting personal information to verify user identities
- A genealogy organization collecting and processing genetic data
- A marketing firm deploying a machine learning algorithm to personalize triggered emails
In contrast, there are scenarios that probably don’t require a DPIA. Let’s say, you’ve already performed a DPIA on a product offered in the EU and you are adding new features that do not process personal information in a new or different way. In this case, a DPIA is likely unnecessary.
What Should Be Included in a DPIA?
Organizations that perform data processing activities and who must comply with the GDPR should plan to make DPIAs a part of their workflows. If you need help starting out, you can reference the UK ICO’s page on DPIAs, which includes guidance and a DPIA template.
A DPIA should include the following:
- Whose data you are processing
- What kind of personal information you will use
- A description of the nature, scope, and context of the processing
- How, or the purpose for which, you will use the personal data that you are processing
- Identification and assessment of risks to individuals
- Any measures you will take to minimize and prevent risk to the individuals involved
A DPIA should assess factors like:
- Is personal data processing necessary and proportionate to meet your goals?
- Are the risks involved worth the desired outcomes?
- Is there a need to contact a supervising authority?
After the DPIA is complete and before processing begins:
- Assess if there is still a high risk to individuals after mitigation and weigh the severity of any impact on individuals.
- Publish the DPIA with sensitive information redacted.
- Integrate the results of the DPIA into the project plan.
- Track and monitor the project against the DPIA to maintain privacy.
DPIAs in the U.S.
While no U.S. data privacy law specifically requires a “data protection impact assessment,” many do require privacy impact assessments, or PIAs.
From a practical standpoint, there isn’t too much of a difference—if you conduct a DPIA, you’ll be meeting most of the requirements for a PIA. PIAs, however, have fewer formal requirements than a DPIA.
There are additional differences between DPIAs and PIAs. For one, a DPIA is an on-going process; you must continuously update your DPIA on a regular cadence. While that’s a smart thing to do for PIAs as well, PIAs are generally only required when some new data processing activity occurs, such as the launch or acquisition of a new business, the launch of a new product, the implementation of a new process, and so on.
That’s the general guidance, however. In reality, each state law has its own specific requirements around PIAs.
California, for instance, requires that PIAs be conducted for processing activities that present “significant risk to consumers’ privacy or security” or for any service, product, or feature that is likely to be accessed by children.
Other laws have similar requirements. Generally, if you’re wondering whether a new processing activity in the U.S. requires a PIA, consider whether it involves targeted advertising, the sale or sharing of personal data to other parties, the creation of a profile of an individual, or processing sensitive data. If it does, then a PIA is likely required.
Check out our U.S. Data Privacy Laws Guide to look up information for individual state privacy laws.
And if you’re looking for a way to make conducting DPIAs and PIAs easier, use Osano to:
- Streamline the assessment workflow using standards-based templates.
- Map your organization’s data stores and flows.
- Discover where data lives.
- Improve your overall level of data privacy compliance.
