Do you know what a DPIA is? Do you need to conduct one?
This blog will give you an introduction to DPIAs and why and when you should conduct one.
What is a DPIA?
A DPIA (data protection impact assessment) is, effectively, a type of risk assessment. A core part of a DPIA is identifying risks and working out how likely they are to occur and the impact they would have. More specifically, a DPIA is an assessment of how a particular process will impact the protection of personal data, and its checklist of requirements differs to that of a typical information security risk assessment.
“A DPIA is a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them.” – WP29 (Article 29 Working Party)
DPIAs are important tools for accountability. Described in Article 35 of the GDPR (General Data Protection Regulation), they are just one of the requirements that organisations need to comply with in order to protect the personal data they process. DPIAs help controllers not only comply with the requirements of the Regulation but also demonstrate that appropriate measures have been taken to ensure that compliance.
DPIAs are sometimes referred to as PIAs (privacy impact assessments). The terms are effectively interchangeable, but the GDPR refers exclusively to DPIAs, so that’s the term we use.
Why use the DPIA Tool?
All UK organisations need to be GDPR compliant, and most will need to undertake a DPIA, or at least answer the qualifying questions to find out if a DPIA is required.
When is a DPIA required?
A DPIA is required if a process is likely to result in a high risk to the rights and freedoms of data subjects (see below). This comprises:
- Using automation to make decisions that could significantly affect an individual;
- Processing sensitive data (health data, political views, sexuality, etc.) on a large scale; and
- Monitoring public areas on a large scale.
In the UK, the supervisory authority is the ICO (Information Commissioner’s Office). It requires a DPIA to be conducted for any processes that:
- Involve the use of new technologies;
- Use profiling or sensitive data to decide on access to services;
- Involve profiling individuals on a large scale;
- Involve biometric data;
- Involve genetic data;
- Match data or combine datasets from different sources;
- Involve ‘invisible processing’;
- Involve tracking individuals’ location or behaviour;
- Involve profiling children or targeting marketing and online services at them; or
- Involve data that might endanger the individual’s physical health or safety in the event of a security breach.
Again, if an organisation is running any process that matches these descriptions, it must conduct a DPIA.
What is a data subject?
A data subject is any natural person (i.e. a living individual) whose personal data is processed by the organisation. Data subjects might be employees, contractors, etc., as well as customers. Examples include advisers, agents, applicants, complainants, consultants, contractors, correspondents, enquirers, members, patients, representatives, researchers, students, suppliers, temporary workers and volunteers.
What constitutes a high-risk process?
A high-risk process is anything that meets the criteria outlined in Article 35 of the GDPR and guidance provided by the ICO and the WP29 (now replaced by the European Data Protection Board, which has endorsed the WP29’s DPIA guidelines). Identifying high-risk processes can be difficult, but any process that meets the criteria in the GDPR or guidance given by the ICO and the WP29 should definitely be considered high risk. This distinction is important because there may be some edge cases where a process is a high risk but doesn’t particularly meet the GDPR, ICO or WP29 criteria.
Who should conduct a DPIA?
- The controller is responsible for conducting DPIAs where they are required (as per Article 35).
- The processor is obliged to assist the controller with its DPIAs (as per Article 28,3(f)).
What is the DPIA Tool?
Our tool walks customers through the six steps they must complete as part of a DPIA.
- Step 1 – Process description: Contains a questionnaire that prompts users for information about the process in question.
- Step 2 – Screening questions: Contains screening questions that help users work out if they need to conduct a DPIA.
- Step 3 – Consultation: Contains a questionnaire that prompts users for information about the parties they’ve consulted (such as data subjects or their representatives).
- Step 4 – Principles questionnaire: Contains a questionnaire prompting users to provide information about the necessity and proportionality of processing — e.g. what measures they have in place to uphold data protection principles, data subject rights, etc.
- Step 5 – Privacy risk assessment: Gives users the means to identify individual risks to the rights and freedoms of data subjects, including evaluating levels of risks and determining risk responses.
- Step 6 – Review: Contains a brief questionnaire asking users about whether the DPIA has been reviewed and whether the process is authorised to go ahead.
The tool is didactic, meaning that you don’t have to be an expert to complete a DPIA. The tool will make sure that you answer all the right questions. Wherever possible, references are included to the relevant sections of the GDPR, so it’s straightforward to check why a question is being asked and its context.
The DPIA Tool is aligned with guidance from both the ICO and the WP29, ‘guaranteeing comprehensive DPIAs’.
For further information on how our DPIA Tool can help your organisation stay GDPR cyber compliant, speak to our experts. If you’d like to see the tool in action, book a one-to-one demonstration today.