Updated: Apr 13, 2020
Data Protection Impact Assessment (DPIA) is a compulsory requirement in accordance with the 35th article of GDPR. In the article, a guide is provided on when a DPIA is necessary:
WHERE A TYPE OF PROCESSING, IN PARTICULAR, USING NEW TECHNOLOGIES AND TAKING INTO ACCOUNT THE NATURE, SCOPE, CONTEXT AND PURPOSES OF THE PROCESSING, IS LIKELY TO RESULT IN A HIGH RISK TO THE RIGHTS AND FREEDOMS OF NATURAL PERSONS, THE CONTROLLER SHALL, PRIOR TO THE PROCESSING, CARRY OUT AN ASSESSMENT OF THE IMPACT OF THE ENVISAGED PROCESSING OPERATIONS ON THE PROTECTION OF PERSONAL DATA. A SINGLE ASSESSMENT MAY ADDRESS A SET OF SIMILAR PROCESSING OPERATIONS THAT PRESENT SIMILAR HIGH RISKS.
With that said, it is only fitting to ask this question: What should be inside a DPIA and how do we perform this?
As written on the 35th Article of GDPR, DPIA should have four quintessential aspects. First is the systematic description of the processing operations and the purpose of processing information. It should also be noted that the need and proportion of the data processing will be assessed and should meet the purpose of processing and the processing alone. The risks and freedom of the data subjects should also be calculated and how these risks can be mitigated should it occur. Furthermore, the assessment should encompass the safeguards, security measures and other means to ensure the protection of personal data and maintain its safety.
Keep in mind that performing the DPIA should be done before the processing. This is to ensure that the requirements are met before data processing. It is also advisable to consult a data protection officer, although it is however not mandatory to do so. Compliance should also be another factor and the codes of conduct should be considered during DPIA to avoid getting in trouble with GDPR during data processing.
When is the right time to perform the DPIA?
Article 35 of the GDPR has already provided an outline regarding when it is mandatory to perform the Data Protection Assessment. DPIA is compulsory especially when a large scale of data under special categories need to be processed and when handling data that are involved in criminal convictions. Aside from that, providing a DPIA is necessary if the processing of data will be based on automated decision making. The last case in the 35th Article was meant for having systemic monitoring of a publicly accessible area on a large scale.
When is it not necessary to conduct a DPIA?
DPIA is not needed if the risks are not relatively high and the rights of freedom of the data subjects will not be compromised. The assessment is also not necessary if permission of the data processing has already been given. It is also important to point out that DPIA is not needed when there is a legal basis in the European Union or the Member State of Law. The
DPIA is only applicable to the processing operations beyond the 25th of May 2018 as this was the date when the GDPR was implemented.
Now that we have made what cases require and do not require clear, let us now discuss the points that we should consider during the assessment. Here are the simple questions that a company should ask when performing a Data Protection Impact Assessment:
Identifying the data that your company/business have. What do you have?
Measuring the need and significance of all the data. Do we really need this all?
Determine how the data is being used. How do we use all this data?
Determine the risks that will occur during data processing. Will we be able to mitigate these risks?
The complete comprehensive guideline is provided in the Article 29 Working Party or also known as the WP29.
To really appreciate this, let us have some examples of data processing which could parallel the guidelines given in WP29. An online magazine sends out a daily digest to its subscriber via mailing. Although a form of data processing, it is however not that extensive therefore DPIA is not needed. Another example of when DPIA isn’t needed to be performed is when an e-commerce website that conducts limited profiling of past purchases and uses it as a basis on their display ads. While it may be a case of profiling, it is however non-systemic therefore DPIA is not needed.
Now let us proceed to when DPIA is actually required. One perfect example of this is are hospitals because they process the health data of its patients, which is a lot and therefore on a large scale. Another case for mandatory DPIA is companies who monitor their employees. This will include monitoring their work stations making the employees vulnerable data subjects hence the requirement of DPIA. Gathering of profiles in social media for the benefit of private companies will need a DPIA since data processing under this scenario is considered evaluation which means it would fall under the large scale processing of data category. These are just some of the MANY examples that need the DPIA in order to be GDPR Compliant. More examples and cases are provided in the guideline of the WP29.
To sum up the foregoing, DPIA simply means the assessment and calculation of any possible risks that might arise from the processing of data in order to attend to them. Companies who are familiar with ISO 27001 and have implemented the standard will appreciate the similarity of the requirements with the Data Protection Impact Assessment. If the identified personal data is considered an asset for your company and you’ve taken precautionary measures to mitigate the risks, then you’re not far behind. Companies should not be intimidated with the existence of DPIA under the GDPR for the WP29 provided clear guidelines to enlighten the companies and ensure that compliance will not be difficult and vague. The WP29 will also have an in-depth definition of what it really means when you say “high risk” which will be very useful when conducting an assessment. But if you still are not sure whether a DPIA is needed or not, the best option that you will have is to perform one to avoid noncompliance with GDPR.