A Data Protection Impact Assessment (DPIA) is an important tool for minimizing security risks and maintaining compliance with data privacy and security regulations, specifically the EU’s General Data Protection Regulation (GDPR). However, data protection impact assessments are not only used for GDPR compliance. They’re useful for identifying, analyzing, and minimizing the potential data security risks related to any project, product, service, or system.
GDPR was the pioneer in data privacy regulations, and many other countries and U.S. states have since implemented similar regulations. In fact, Thales reports, “Today, there are more than 120 countries already engaged in some form of international privacy laws for data protection to ensure that citizens and their data are offered more rigorous protections and controls.”
Because DPIAs are most commonly associated with GDPR requirements, this guide will primarily discuss the process of conducting an effective DPIA in the GDPR context, such as when a DPIA is required under GDPR and the required components of a DPIA. However, much of this information is applicable to other data privacy regulations and best practices. Specifically, we’ll discuss:
- What is a data protection impact assessment?
- When is a data protection impact assessment required?
- What are the benefits of conducting a DPIA?
- What are the components of a DPIA?
- What are the stages of a data protection impact assessment?
Keep reading to learn about data protection impact assessments, how they’re conducted, and when your company should (or is required to) conduct a DPIA.
What is s data protection impact assessment?
The General Data Protection Regulation is a European Union (EU) law that came into effect on May 25, 2018. It is rightly considered to be the most stringent data privacy and security legislation in the world, and while it is focused on protecting the information of EU citizens, compliance with the law is not restricted to EU companies. Any organization that collects or targets the data of EU citizens must comply with the regulatory framework of the GDPR.
This includes all U.S. companies that do business in the EU involving the collection, processing, and storage of personal information. As such, with the current digital, global economy and the rise of eCommerce, many businesses around the world may be subject to GDPR.
Non-compliance with the GDPR is not a viable option, as the fines are based on a company’s annual revenue and could total millions of dollars. One of the requirements of the GDPR is that, under certain circumstances, companies must perform a data protection impact assessment.
A DPIA is a process that enables companies to identify and minimize the data protection risks associated with a particular project. While performing a DPIA at certain times is mandated by the GDPR, it’s a valid tool for evaluating and reducing risk in any project that involves the processing of personal data.
A company must provide specific information in a DPIA that includes:
- Describing the nature, scope, context, and purpose of the data collection and processing
- Assessing the need to collect the data and measures taken to maintain GDPR compliance
- Identifying and assessing the risks to individuals whose data is being collected
- Identifying additional measures that can be implemented to minimize these risks
Risk assessment needs to balance the likelihood and severity of an impact on an individual. For example, high risk can be defined as a high probability of at least some harm being inflicted. Identifying risks that cannot be mitigated may force the delay or postponement of a project until acceptable protective measures can be implemented.
When is a data protection impact assessment required?
Article 35 of the GDPR requires that a data protection impact assessment is conducted any time a new project is initiated that involves high risk to individuals’ personal information. It is a critical component in the GDPR’s overriding principle of protection by design.
More specifically, processing personal data in the following situations or under these conditions requires a DPIA.
- If the project involves new technologies, a DPIA must be performed to ensure they comply with GDPR.
- A DPIA is necessary when the data processing involves tracking individuals’ location or behavior patterns.
- Large-scale and systematic monitoring of a publicly accessible space requires a DPIA.
- Projects that involve the combination or matching of data sets containing personal information require a DPIA.
- DPIAs are necessary when the processing is used as the basis for automated decisions that can have legal or other significant effects on individuals.
- A DPIA is mandated if the information collected includes data regarding sensitive issues such as ethnic origin, religious beliefs, sexual orientation, or political beliefs.
- When processing children’s data, it is always necessary to conduct a DPIA.
- A DPIA is mandated if a leak of the data being processed could result in physical harm to the subjects.
What are the benefits of conducting a DPIA?
Organizations that conduct a DPIA stand to benefit in multiple ways. Following are some of the most impactful benefits of performing a DPIA.
- A DPIA enables a company to verify and demonstrate its compliance with GDPR. This can be crucial in avoiding financial penalties and reputational damage that may be very difficult to repair.
- A DPIA ensures that the personal data resources of users or customers are not at risk and no protection rights have been violated. Communicating openly regarding data protection measures can improve public relations and improve a company’s reputation.
- Performing a DPIA allows an organization to develop new projects with a foundation of data protection by design, not as an afterthought. This approach reduces the costs of data protection by evaluating them early in the development process.
- Operation costs can be reduced by eliminating unnecessary data processing and collection as a result of the information obtained in a DPIA. It may be found that certain data elements originally targeted for collection are not relevant to the project and can be ignored.
- A DPIA reduces an organization’s data protection risks in addition to ensuring compliance with regulatory standards. The measures identified to minimize the risk to the specific personal data involved in the project can be used to enhance data protection across the computing environment.
What are the components of a DPIA?
The determination that a DPIA needs to be conducted is a decision that should be made early in a project’s development. Once the commitment to perform a DPIA is made, the following components must be addressed by the process.
Describing processing operations
This involves creating a detailed listing of all data processing needs. The details required to be incorporated into the list include:
- Any legal basis for processing the data
- The type of personal data that will be processed
- Information regarding all stakeholders involved with processing the data
- How data flows for the project, including any third parties that have access to the information
Performing a proportionality analysis
The DPIA must provide evidence that the proposed data collection is necessary to fulfill the intended objective. This involves an explanation of these items:
- The business or societal objective of processing the data
- The reasons data will be processed in specific ways to meet objectives
- Alternate methods that can be used to complete the task and meet the objectives
Determining if less risky methods of data collection are possible
A risk assessment needs to be conducted that identifies all possible risks to the individuals whose data will be collected and processed. These risks include data breaches that can result in physical, material or non-material damage to an individual. The goal is to control the risks before actual data processing begins. The types of damages include:
- Financial loss and credit card fraud
- Identity theft
- Reputational damage that can be impossible to successfully reverse
If more secure or safer methods of obtaining the data required to meet objectives are available, a company should strongly consider using them. Any unnecessary risks to data resources should be eliminated as a result of the DPIA.
Describing data protection safeguards
The proposed safeguards and risk mitigation measures need to be described as part of the DIPA. These measures can involve introducing new technical solutions or modifying data handling procedures that can potentially risk disclosing confidential information. Examples of safeguards include:
- Implementing a data loss prevention (DLP) solution to ensure high-risk data is handled appropriately throughout an organization
- Enforcing end-to-end encryption to protect data throughout its lifecycle
- Developing strict user controls to limit access to high-risk data to authorized users who require it to do their jobs
What are the stages of a data protection impact assessment?
A DPIA needs to be conducted methodically for optimal results and to provide evidence of compliance with the GDPR or other regulatory frameworks. This is best done with a multi-step process that addresses the privacy and security concerns surrounding the handling of high-risk and personal data.
An important fact to remember is that a DPIA is required for each project that meets the criteria. Performing a DPIA should be incorporated into project management plans whenever sensitive or high-risk data is involved. Even if the data is not subject to regulatory standards, protecting it by conducting a DPIA is in an organization’s best interests.
Typically, a company will use the following stages when conducting a DPIA.
Determining the need for a DPIA
Not all projects demand that a DPIA be performed. If the project is likely to pose a high risk to sensitive data resources, a DPIA is required.
The GDPR defines three types of processing that always require a DPIA:
- Systematic and extensive profiling used for automated processes with potentially significant effects on individuals requires a DPIA.
- DPIAs are necessary when performing large-scale use of sensitive data.
- Systematically monitoring publicly accessible areas requires a DPIA.
If the organization determines a DPIA is not required, it needs to document its reasons for making that decision and include any evidence that supports its position.
Describing the data processing
A description is required that details how and why the collected data will be used. This information can then serve as justification when deciding if a full DPIA is required for this project.
The description needs to address the following four aspects of the processing:
- Nature - This aspect describes what will be done with the collected personal data. It includes details of how it will be collected, who has access, how long it will be retained, and if any new technologies are being used in its processing.
- Scope - This defines what the processing covers. It includes the nature of the personal data, its volume, variety, sensitivity, and other elements that constitute its scope.
- Context - This aspect covers any factors that could affect the expectations or the impact of the processing. Factors include the source of the data, relationships with the individuals, the amount of control individuals have over their data, and if the individuals are children or otherwise vulnerable.
- Purpose - The reason data is being collected needs to be defined and should include the organization’s interests, the intended outcome for the individuals involved, and any benefits to the organization or society.
Consulting with data sources
DIPA requirements include attempting to consult with and document the views of individuals whose data will be processed regarding the utility of the project. This can more easily be accomplished with existing contacts. Consulting with unidentified individuals requires techniques such as market research to identify the sentiment of protective subjects.
Consultation can be eliminated from the process if a valid reason exists — for example, a potential risk to security or confidentiality.
Assessing necessity and proportionality
The DPIA needs to assess necessity and proportionality as it pertains to data collection and processing. Necessity relates to the details of the processing operation, including any retention periods that are necessary to meet project objectives. Proportionality speaks to the need to only collect personal data that is adequate and relevant for the specific purpose of the processing.
Specific details should be provided regarding how data quality and minimization will be verified, how individuals will be provided privacy information, and what measures are being taken to ensure all data processors comply. Details about the lawful basis for the processing must also be included in the DPIA.
Identifying and assessing risks
Organizations need to identify and assess the potential physical, emotional, or material harm the processing may cause to the individuals involved. The specific risks that need to be considered include:
- The inability of individuals to exercise their rights
- Loss of access to services
- Loss of control over how personal data is used
- Identity theft, fraud, or other financial damage
- Loss of confidentiality
- Physical harm
Both the likelihood and severity of potential damage needs to be considered. A risk assessment matrix offers a simple method of performing this task.
Identifying measures to mitigate risk
Once the risks have been identified, measures to mitigate them must be considered. Mitigation measures can vary widely and might include:
Measures should be detailed that can minimize or, optimally, eliminate the risks. The benefits and costs of potential solutions need to be evaluated before being included in the DPIA.
Completing the DIPA and recording its outcome
Completing the DIPA involves documenting the results of all previous steps as well as recording some additional information. These include:
- Additional measures that will be taken to address the project’s risks
- How each risk has been reduced, eliminated, or considered to be acceptable
- The level of risk that remains after all measures have been implemented
If high risks remain, a consultation with a regulatory body such as the UK’s Information Commissioner’s Office (ICO) may be necessary before proceeding with the project. They can offer guidance regarding acceptable risk and may determine that the project should be halted.
DPIAs are mandated by the GDPR but they offer a beneficial process that can be incorporated into any project that involves the use of high-risk or sensitive data. A DPIA provides a mechanism for addressing data privacy and security in the early stages of project development so it can be effectively implemented.
One of the overriding goals of a DPIA is to protect the privacy and security of personal data. This focus meshes perfectly with the objectives of data loss prevention software. A DLP solution can form an integral part of an overall data protection strategy and provide the necessary measures to satisfy the requirements of a DPIA.
The Reveal Platform by Next provides visibility into data resources and protection against their loss or misuse. Reveal furnishes features that continuously monitor data, automatically enforce a data handling policy, and can perform actions such as automatically encrypting data before transmission or prohibiting unauthorized users from viewing sensitive data.
Reveal offers companies a modern solution to data loss prevention that can be instrumental in addressing the data privacy protection measures detailed in a DPIA. Contact Next and book a demo to see how your company can benefit by incorporating this effective DLP solution into its data protection and security posture.