The GDPR (General Data Protection Regulation), which governs data protection throughout the European Economic Area (EEA), includes a requirement to conduct a Data Protection Impact Assessment (DPIA) for certain projects that involve the processing of personal data.
It is important to note that even though the DPIA is a requirement of the GDPR, individual states within the EEA may have further requirements, including "blacklists" of activities that trigger a DPIA. Meeting data protection requirements requires compliance with both GDPR and local regulations.
What is a DPIA?
A DPIA is a risk assessment and management plan for the processing of sensitive data. Failing to conduct a DPIA when one is required could expose your company to fines of up to €10 million or 2% of annual turnover, whichever is greater.
The GDPR (Article 35(7)) specifies what must be included in a DPIA. Key requirements are:
- A description of the planned processing, including the purposes for processing the data,
- An assessment of whether the processing is both necessary and proportional to the purposes,
- An assessment of possible risks to the data subjects’ rights,
- Measures that will be taken to protect the personal data, and
- How compliance with GDPR will be demonstrated.
When is a DPIA required?
According to the GDPR (Article 35:1), a DPIA is required when processing data “is likely to result in a high risk to the rights and freedoms of natural persons.” It further specifies three occasions when a DPIA is certainly required:
- Processing personal information using automated processing, including profiling on which decisions are made that impact the data subject. For example, a bank using customer data to decide whether or not to extend credit would require a DPIA.
- Processing of sensitive data on a large scale. A regional health care provider implementing an electronic health care records system would require a DPIA. An individual physician putting in place a system to manage their own records would not, as the processing is not large scale. However, the individual physician would still be well advised to do most of the things required in a DPIA to make certain they have proper safeguards in place.
- Systematic monitoring of a public space on a large scale. A retail chain installing cameras throughout their stores to monitor employees and customers would require a DPIA.
Whether or not a DPIA is required in a given situation may not be clear. Given the large penalty for failing to conduct a DPIA when one would be warranted, it is best to err on the side of conducting one if there is any doubt. As mentioned above, you should also check the local regulations for any EEA countries you do business in to see if there are local requirements you must comply with.
How do you conduct a DPIA?
The Information Consumer’s Office (ICO) in the UK has put together a useful seven-step process for conducting a DPIA. Even though the GDPR itself will not apply in the UK after the end of the Brexit transition period at the end of 2020, GDPR requirements are being brought into domestic UK law, so it is likely that this process will remain applicable for use both within the EEA and in the UK.
The seven steps are:
- Identify the need for a DPIA. You should consult with your Data Protection Officer (DPO). Generally speaking, it is a good idea to conduct a DPIA for any substantial project that involves processing personal data. Make sure to check for local requirements on a per-country basis as well. If you conclude that a DPIA is not required, it would be recommended to prepare a memo for the file outlining why this conclusion was reached.
- Describe the processing. Per the GDPR, this must include “the nature, scope, context and purposes of the processing.
- Consider consultation. It is advisable, where possible, to receive and document the views of individuals whose data will be handled. If you work with an external data processor, you should consult with them as well. Additionally, you may wish to consult with legal counsel or IT privacy experts.
- Assess necessity and proportionality. Do you really need to collect and process this data, or would there be some other way to achieve your goals?
- Identify and assess risks. You should think through the possible impact if the data were compromised, taking into account both the sensitivity of the information and severity of harm, and the likelihood of there being a data breach.
- Identify measures to mitigate the risks. In many ways, this is the most important section of your DPIA: what steps will you take to reduce the damage? You should consider everything from whether or not to collect the information in the first place, to how long you retain the data, to technological tools to protect the data, training of staff, etc.
- Sign off and record outcomes. You should record any additional measures you may plan to take, whether risks have been reduced or eliminated, how much risk remains after all the mitigation, and whether you need to consult with local authorities.
The DPIA provides detailed instructions on how your firm will comply with data protection regulations. It should be treated as a living document. As projects evolve and the environment changes, there may be new risks or concerns that must be taken into account. The mitigation steps need to become part of your project plans.
- For an overview of data protection regulations in Europe, see our article on Data Protection Regulations in Europe.
- The DPIA is outlined in the GDPR at Articles 35(1), 35(7) and Recitals 84 and 90.
- The UK’s information on how to manage a DPIA is here.
- For information on fines and penalties under the GDPR, go the article Record-breaking GDPR Fines and Penalties.
- For information on the California Consumer Privacy Act ("CCPA"), go to the article Overview of the CCPA and CCPA Compliance in a nutshell.
Finally, a note on how you can use this article. This article is not to be considered legal advice and is not a substitute for advice from qualified legal counsel. Material aspects of the discussions in this article may change at any time and without further notice.