How to perform a data protection impact assessment (DPIA) under GDPR

A guide to the various steps for assessing the risk that your data processing could pose

The EU's General Data Protection Regulation was introduced to harmonise data transfer and standardise data protection practices and processes between member states.

However, for many, the new regulation brought with it significant disruption, with established processes and methodologies becoming non-compliant effectively overnight. In order to minimise this disruption, and to demonstrate an ongoing commitment to the principles of GDPR, most companies are now legally required to perform an assessment of their current processes and identify any potential areas of risk.

What is a DPIA?

Known as a data protection impact assessment (DPIA), the process forms a key part of an organisation's data protection obligations under GDPR, and should provide the framework for any data protection strategy. Whenever an organisation decides to start processing user data, a DPIA is required in order to assess the levels of risk to a data subject. Failure to provide evidence of a DPIA having being carried out when required can result in a fine of up to 10 million or two percent of global turnover.

It's important to note that the aim of a DPIA is to assess levels of risk in your systems, not remove risk entirely. Organisations should use a DPIA to minimise risk and decide whether current levels of risk are acceptable based on the desired results of that data processing.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

DPIAs are often straightforward and quick to perform as they do not follow a set template. Instead, provided you are assessing risk in a way that suits your business processes, this will qualify as a DPIA.

Do I need to perform a DPIA?

All organisations that process data are required to assess the risk that processing poses to data subjects, both before processing occurs and after a system is implemented. This is to ensure that a company has thought ahead about how it uses data, has anticipated potential problems and has worked to address these.

The hope is that this will help to create more robust processes with data protection built-in from the ground up. In that sense, it's best to view these assessments as a means to improve your data processing practices early on, rather than as a compliance exercise.

Technically speaking, only those organisations which have types of processing that are likely to result in a high risk to the rights and freedoms of individuals' are required to perform a DPIA. Risk, in this sense, refers to a remote chance of harm to an individual, whereas High Risk suggests this is more likely.

That means companies are only required to perform this initial screening test to determine if they need to do a DPIA. Generally speaking, any processing that could involve evaluation or scoring, automated decision-making, highly sensitive or highly personal data, data related to vulnerable subjects, systematic monitoring, large scale data sets, or new technological processes, would be considered factors likely to result in a higher risk to data subjects.

Also, automated processing involving systematic and extensive profiling, processing involving large scale use of sensitive data, and anything involving the monitoring of public spaces, all require DPIAs in order to make these legal.

Advertisement - Article continues below

However, because there are a number of benefits associated with DPIAs, and because the term risk' is only loosely defined under GDPR, it's considered best practice to perform a DPIA regardless of your circumstances.

In fact, following a number of conversations with various spokespeople at the Information Commissioner's Office, it's clear that an organisation can significantly reduce the likelihood of regulatory action following a data incident if they're able to show evidence of a robust DPIA.

How do I perform a DPIA?

There is no strict template on how a DPIA should look, however, the Information Commissioner's Office does offer its own (pdf), if you wish to copy that or take some suggestions from it.

The ICO's recommended plan for performing a DPIA

Advertisement
Advertisement - Article continues below

Generally, all DPIAs should start early in the life of a project, before any data processing has taken place. They should also follow seven steps, as outlined below:

Step 1: Identify the need for a DPIA

Advertisement - Article continues below

In most cases, it's advised that companies keep a DPIA for each project that involves data processing. If your type of processing is listed in bold in the above section, then you will need to conduct a DPIA.

Step 2: Describe the processing

At this stage of the assessment, you should be prepared to describe how you intend to use the personal data, including how it's collected, stored, and accessed. It's also important at this stage to outline who will have the rights to access the data, who it will be shared with (including any processor relationships), how long it will be stored for, whether you are using cutting-edge technology as part of the process, and what security safeguards you have in place to protect it.

You are also required to explain the scope of the data you plan to process. This includes the type, the volume and variety of the personal data collected, how often you plan to process it, how long it will generally take to process, how sensitive the data is likely to be, and the number of data subjects associated with the data set.

You will also need to stipulate any internal or external factors that might hinder or change the expectations your organisation has when it comes to processing the data. For example, the extent to which data subjects are able to control the use of their data, how much processing is a data subject expecting, or whether the data relates to children or vulnerable people. Any factors that relate to your company's ability to process data should also be included here, such as previous experience processing similar data in the past, or changes to available technology.

Finally, every organisation is required to state the explicit reason for wanting to process the data. This can cover areas such as providing a service for an individual, or perceived benefits for wider society.

Advertisement - Article continues below

Step 3: Consider consultation

In most cases, you will want to consult with those individuals from which you are sourcing data in order to obtain views and an understanding of their expectations. There is no set way of achieving this, as GDPR only requires that you are able to provide documented evidence of this happening.

Advertisement
Advertisement - Article continues below

If you decide that consulting with individuals is not necessary, such as in those instances where there is a degree of commercial sensitivity, or that the process may undermine security, then this decision must be justified and documented clearly in your DPIA.

Step 4: Assess necessity and proportionality

The purpose of this step is to have your organisation assess whether the processing of data is essential to the performance of the proposed task - for example, could you achieve the same results without processing personal data?

It's at this point your DPIA should cover relevant information regarding your legal justification for processing data, and how your organisation seeks to maintain user privacy throughout the process. This includes details on any measures in place to support data rights, such as the right to erasure, and how this information will be communicated with data subjects.

Advertisement - Article continues below

Step 5: Identify and assess risks

It's here that the real bulk of the assessment will take place, essentially requiring you to explore the potential harm that your processing could create to data subjects, whether that's emotional or material.

Things such as losing control over their ability to control data use, inability to exercise data rights, the potential for identity theft, fraud, or financial loss, reputational damage, or loss of trust are all considered to be a risk to a data subject.

The biggest issue here is that risk' is loosely defined under GDPR, and so your organisation's definition may differ to another's. However, the ICO expects all organisations to consider the likelihood, and the severity, of any potential harm to an individual.

Innovative new technologies tend to always fall under the category of high risk. Specifically, any processing involving AI and its various disciplines (including facial recognition), smart technologies, internet of things, and autonomous vehicles would all create a high risk to the rights and freedoms of a data subject by default, regardless of your organisation's assessment.

Any processing involving data related to biometrics or genetics is also considered to be high risk, as is anything that involves comparing and matching data from multiple sources, even if it is used for beneficial services, such as fraud detection.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Step 6: Identify measures to mitigate the risks

In this section, your organisation is required to take what was found in Step 5, and come up with ways in which it could mitigate harm.

This could include reducing the scale of the proposed data processing, reducing the time that data is stored, or omitting certain types of data entirely. Equally, it may be that serious harm could come from a poorly implemented security system, and therefore you would need to detail specific steps that your organisation could take to remedy this.

In many cases, the list of proposed mitigations will depend heavily on the nature of your organisation and your processes.

Step 7: Concluding your DPIA

Here you are required to set out the steps your organisation has taken to remedy any issues raised during your assessment. This will include the nature of the risk as a result of these steps - whether you have eliminated it entirely or simply reduced it.

Advertisement - Article continues below

It's important to remember that as part of a DPIA you are not required to eliminate all risks to processing. In some cases, you may find that it is suitable to simply minimise the effect, or accept the risk as part of the processing.

It's here that you will need to gain approval to proceed from your data protection officer or equivalent.

Using your DPIA

As stated above, an assessment should be thought of as a tool for improving your processes, rather than as a compliance exercise. Once you have your DPIA completed, it will need to be fed back into your project and should be referred to throughout. This may involve refreshing your assessment as changes are made, or if you introduce new technologies.

Although there is no legal requirement to do so, it can be useful from a transparency perspective to publish your DPIA to the public. By doing so, your organisation is essentially holding itself accountable to the public, and makes it far easier for individuals to exercise their data rights. However, some organisations will want to withhold their DPIA, either because the information contains commercially sensitive data, or simply because they do not wish to be under unnecessary scrutiny.

Advertisement
Advertisement - Article continues below

If you are a public body, however, it's likely you will need to publish your DPIA in order to comply with the Freedom of Information Act.

Should the ICO know about my DPIA?

Simply put, if your DPIA identified a high risk to the rights and freedoms of data subjects, but you have taken steps to mitigate these to a point where you are satisfied, you do not need to involve the ICO.

Advertisement - Article continues below

However, if you identified a high risk, but you have been unable to reduce this and have simply accepted it as part of the data processing, you need to consult the ICO. No data processing can occur until this has happened.

If you find yourself in this position, you are required to email your DPIA to the ICO, drawing attention to the purpose of data processing and the measures taken to safeguard data subjects. The ICO will either accept your DPIA as is and allow you to process data, request for further consultation with your organisation, or reject the assessment. Rejection can lead to an official warning or an outright ban on any intended processing.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Visit/business-strategy/mergers-and-acquisitions/354602/xerox-to-nominate-directors-to-hps-board-reports
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020