How to perform a data protection impact assessment (DPIA) under GDPR
A guide to the various steps for assessing the risk that your data processing could pose
The EU's General Data Protection Regulation was introduced to harmonise data transfer and standardise data protection practices and processes between member states.
However, for many, the new regulation brought with it significant disruption, with established processes and methodologies becoming non-compliant effectively overnight. In order to minimise this disruption, and to demonstrate an ongoing commitment to the principles of GDPR, most companies are now legally required to perform an assessment of their current processes and identify any potential areas of risk.
What is a DPIA?
Known as a data protection impact assessment (DPIA), the process forms a key part of an organisation's data protection obligations under GDPR, and should provide the framework for any data protection strategy. Whenever an organisation decides to start processing user data, a DPIA is required in order to assess the levels of risk to a data subject. Failure to provide evidence of a DPIA having being carried out when required can result in a fine of up to 10 million or two percent of global turnover.
It's important to note that the aim of a DPIA is to assess levels of risk in your systems, not remove risk entirely. Organisations should use a DPIA to minimise risk and decide whether current levels of risk are acceptable based on the desired results of that data processing.
DPIAs are often straightforward and quick to perform as they do not follow a set template. Instead, provided you are assessing risk in a way that suits your business processes, this will qualify as a DPIA.
Do I need to perform a DPIA?
All organisations that process data are required to assess the risk that processing poses to data subjects, both before processing occurs and after a system is implemented. This is to ensure that a company has thought ahead about how it uses data, has anticipated potential problems and has worked to address these.
The hope is that this will help to create more robust processes with data protection built-in from the ground up. In that sense, it's best to view these assessments as a means to improve your data processing practices early on, rather than as a compliance exercise.
Technically speaking, only those organisations which have types of processing that are likely to result in a high risk to the rights and freedoms of individuals' are required to perform a DPIA. Risk, in this sense, refers to a remote chance of harm to an individual, whereas High Risk suggests this is more likely.
That means companies are only required to perform this initial screening test to determine if they need to do a DPIA. Generally speaking, any processing that could involve evaluation or scoring, automated decision-making, highly sensitive or highly personal data, data related to vulnerable subjects, systematic monitoring, large scale data sets, or new technological processes, would be considered factors likely to result in a higher risk to data subjects.
Also, automated processing involving systematic and extensive profiling, processing involving large scale use of sensitive data, and anything involving the monitoring of public spaces, all require DPIAs in order to make these legal.
However, because there are a number of benefits associated with DPIAs, and because the term risk' is only loosely defined under GDPR, it's considered best practice to perform a DPIA regardless of your circumstances.
In fact, following a number of conversations with various spokespeople at the Information Commissioner's Office, it's clear that an organisation can significantly reduce the likelihood of regulatory action following a data incident if they're able to show evidence of a robust DPIA.
How do I perform a DPIA?
There is no strict template on how a DPIA should look, however, the Information Commissioner's Office does offer its own (pdf), if you wish to copy that or take some suggestions from it.
The ICO's recommended plan for performing a DPIA
Generally, all DPIAs should start early in the life of a project, before any data processing has taken place. They should also follow seven steps, as outlined below:
Step 1: Identify the need for a DPIA
In most cases, it's advised that companies keep a DPIA for each project that involves data processing. If your type of processing is listed in bold in the above section, then you will need to conduct a DPIA.
Step 2: Describe the processing
At this stage of the assessment, you should be prepared to describe how you intend to use the personal data, including how it's collected, stored, and accessed. It's also important at this stage to outline who will have the rights to access the data, who it will be shared with (including any processor relationships), how long it will be stored for, whether you are using cutting-edge technology as part of the process, and what security safeguards you have in place to protect it.
You are also required to explain the scope of the data you plan to process. This includes the type, the volume and variety of the personal data collected, how often you plan to process it, how long it will generally take to process, how sensitive the data is likely to be, and the number of data subjects associated with the data set.
You will also need to stipulate any internal or external factors that might hinder or change the expectations your organisation has when it comes to processing the data. For example, the extent to which data subjects are able to control the use of their data, how much processing is a data subject expecting, or whether the data relates to children or vulnerable people. Any factors that relate to your company's ability to process data should also be included here, such as previous experience processing similar data in the past, or changes to available technology.
Finally, every organisation is required to state the explicit reason for wanting to process the data. This can cover areas such as providing a service for an individual, or perceived benefits for wider society.
Step 3: Consider consultation
In most cases, you will want to consult with those individuals from which you are sourcing data in order to obtain views and an understanding of their expectations. There is no set way of achieving this, as GDPR only requires that you are able to provide documented evidence of this happening.
If you decide that consulting with individuals is not necessary, such as in those instances where there is a degree of commercial sensitivity, or that the process may undermine security, then this decision must be justified and documented clearly in your DPIA.
Step 4: Assess necessity and proportionality
The purpose of this step is to have your organisation assess whether the processing of data is essential to the performance of the proposed task - for example, could you achieve the same results without processing personal data?
It's at this point your DPIA should cover relevant information regarding your legal justification for processing data, and how your organisation seeks to maintain user privacy throughout the process. This includes details on any measures in place to support data rights, such as the right to erasure, and how this information will be communicated with data subjects.
Step 5: Identify and assess risks
It's here that the real bulk of the assessment will take place, essentially requiring you to explore the potential harm that your processing could create to data subjects, whether that's emotional or material.
Things such as losing control over their ability to control data use, inability to exercise data rights, the potential for identity theft, fraud, or financial loss, reputational damage, or loss of trust are all considered to be a risk to a data subject.
The biggest issue here is that risk' is loosely defined under GDPR, and so your organisation's definition may differ to another's. However, the ICO expects all organisations to consider the likelihood, and the severity, of any potential harm to an individual.
Innovative new technologies tend to always fall under the category of high risk. Specifically, any processing involving AI and its various disciplines (including facial recognition), smart technologies, internet of things, and autonomous vehicles would all create a high risk to the rights and freedoms of a data subject by default, regardless of your organisation's assessment.
Any processing involving data related to biometrics or genetics is also considered to be high risk, as is anything that involves comparing and matching data from multiple sources, even if it is used for beneficial services, such as fraud detection.
Step 6: Identify measures to mitigate the risks
In this section, your organisation is required to take what was found in Step 5, and come up with ways in which it could mitigate harm.
This could include reducing the scale of the proposed data processing, reducing the time that data is stored, or omitting certain types of data entirely. Equally, it may be that serious harm could come from a poorly implemented security system, and therefore you would need to detail specific steps that your organisation could take to remedy this.
In many cases, the list of proposed mitigations will depend heavily on the nature of your organisation and your processes.
Step 7: Concluding your DPIA
Here you are required to set out the steps your organisation has taken to remedy any issues raised during your assessment. This will include the nature of the risk as a result of these steps - whether you have eliminated it entirely or simply reduced it.
It's important to remember that as part of a DPIA you are not required to eliminate all risks to processing. In some cases, you may find that it is suitable to simply minimise the effect, or accept the risk as part of the processing.
It's here that you will need to gain approval to proceed from your data protection officer or equivalent.
Using your DPIA
As stated above, an assessment should be thought of as a tool for improving your processes, rather than as a compliance exercise. Once you have your DPIA completed, it will need to be fed back into your project and should be referred to throughout. This may involve refreshing your assessment as changes are made, or if you introduce new technologies.
Although there is no legal requirement to do so, it can be useful from a transparency perspective to publish your DPIA to the public. By doing so, your organisation is essentially holding itself accountable to the public, and makes it far easier for individuals to exercise their data rights. However, some organisations will want to withhold their DPIA, either because the information contains commercially sensitive data, or simply because they do not wish to be under unnecessary scrutiny.
If you are a public body, however, it's likely you will need to publish your DPIA in order to comply with the Freedom of Information Act.
Should the ICO know about my DPIA?
Simply put, if your DPIA identified a high risk to the rights and freedoms of data subjects, but you have taken steps to mitigate these to a point where you are satisfied, you do not need to involve the ICO.
However, if you identified a high risk, but you have been unable to reduce this and have simply accepted it as part of the data processing, you need to consult the ICO. No data processing can occur until this has happened.
If you find yourself in this position, you are required to email your DPIA to the ICO, drawing attention to the purpose of data processing and the measures taken to safeguard data subjects. The ICO will either accept your DPIA as is and allow you to process data, request for further consultation with your organisation, or reject the assessment. Rejection can lead to an official warning or an outright ban on any intended processing.