The General Data Protection Regulation (“GDPR”) directs how an organization should handle the personal data of residents in the European Union (“EU”). Under the GDPR, an organization must conduct a Data Protection Impact Assessment (“DPIA”) if it processes high-risk data. In this guide, we will explain:
- What is a Data Protection Impact Assessment under the GDPR: General Data Protection Regulation?
- How to create a GDPR data protection impact assessment.
What is a Data Protection Impact Assessment under the GDPR?
A DPIA is a process that helps a controller identify and reduce the risks of a data processing project. Under the GDPR, a controller “determines the purposes and means of the processing of personal data.” The GDPR requires a controller to complete a DPIA prior to processing data that has a high risk to a data subject, which is an identified or identifiable natural person in the EU.
Article 35 explains when a controller is required to complete a DPIA. If a controller wants to process data using “new” technologies that are “likely to result in a high risk to the rights and freedoms of natural persons,” the controller must evaluate the data processing:
Before processing the data, if the controller finds the data is a high risk to the data subjects, the controller must “carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.” This means that the controller should figure out the foreseen impact and take appropriate measure to protect the data. The controller may use a single assessment to “address a set of similar processing operations that present similar high risks.”
Article 35(3) lists the scenarios that would require a controller to complete a DPIA prior to processing the personal data. A DPIA is required for:
- A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offenses referred to in Article 10; or
- A systematic monitoring of a publicly accessible area on a large scale.
A supervisory authority must provide guidance to controllers for what types of operations must complete a DPIA. The GDPR requires that a supervisory authority establish and make public:
- Operations requiring a DPIA – a list of the kind of processing operations which are subject to the requirement for a DPIA.
- Operations not requiring a DPIA – a list of the kind of processing operations for which no DPIA is required.
The Article 29 Data Protection Working Party (“WP29”) published guidelines to determine whether processing is “likely to result in a high risk” to a data subject. The WP29 guidelines identify processing operations that require a DPIA due to their inherent high risk, which include:
- Evaluation or scoring that includes profiling and predicting a data subject’s “economic situation, health, personal preferences or interests, reliability or behavior, location or movements” – An example is a financial institution that screens the activities of its customers for various purposes, such as evaluating their credit performance or investigating suspected money laundering.
- Automated decisions that create a legal effect on a data subject – This includes data processing that may lead to the exclusion or discrimination against an individual.
- Systematic monitoring that is used to observe or control data subjects – This type of monitoring includes circumstances when data subjects are not aware that someone is collecting and using their data.
- Sensitive data that is highly personal in nature that includes special categories of personal data – These categories include political opinions and criminal convictions.
- Data processed on a large scale – This includes the volume of data subjects being processed and the geographical extent of the activity.
- Matching or combining datasets that originate from two or more data processing operations performed for different purposes – This may include different data controllers that process data in a way that exceeds the reasonable expectations of the data subject.
- Data concerning vulnerable data subjects – This type of processing creates a power imbalance between the data subjects and the data controller. Vulnerable data subjects include children and elderly patients.
- Innovative use or applying new technological processing solutions – This includes processing that uses fingerprint or facial recognition technologies.
- Processing that prevents data subjects from exercising a right – This includes operations that limit a data subject’s access to a service or entry into a contract. An example is when a bank uses a credit reference database to decide whether to offer a loan to a data subject.
As a general rule, the WP29 considers the level of risk as the “more criteria are met by the processing, the more likely it is to present a high risk to the rights and freedoms of data subjects, and therefore to require a DPIA.” Further, depending on the level of risk, a data controller may require a DPIA if it meets only one of the processing criteria.
GDPR: how to create a data protection impact assessment
A controller should complete a DPIA early in the life of a data processing project. The purpose of the DPIA is to identify a high risk. If the controller cannot reduce the risk, the controller must consult its supervisory authority.
Some types of controllers must appoint a Data Protection Officer (DPO). The controller should first seek the advice of its DPO when completing a DPIA. An organization should appoint a DPO based on its core processing activities that are essential to achieving the organization’s goals. An organization must appoint a DPO if its core activities involve “processing sensitive personal data on a large scale or a form of data processing which is particularly far-reaching for the rights of the data subjects.”
A controller should invest the time necessary to produce a comprehensive DPIA. A DPIA can help the controller’s project to proceed efficiently and prevent delays. The DPIA must contain at least:
- A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- An assessment of the risks to the rights and freedoms of data subjects; and
- The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
The Information Commissioner’s Office (“ICO”) in the United Kingdom released a DPIA Template to help a controller record the DPIA process and outcome. The template offers step-by-step instructions for completing a DPIA. The steps are:
- Identify the need for a DPIA – Provide a broad explanation of what the project aims to achieve and what type of processing it will involve. Include the necessary documentation in the report.
- Describe the processing – Explain how the project will collect, use, store, share, and delete data. Break down the nature, scope, context, and purpose of the processing. Include a data diagram.
- Identify consultations – Consider the need to consult with a professional, such as an information security expert.
- Assess necessity and proportionality – Review the lawful basis for processing and if the project will achieve the project’s purpose. Explain the methods for ensuring data minimization and preventing function creep.
- Identify and assess risks – Describe the source of risks and the potential impact on individuals. Access the likelihood of harm, severity of harm, and overall risk. Include associated compliance and corporate risks.
- Identify measures to reduce risk – Analyze the risks, the options to reduce or eliminate the risks, the effect of the measures on risk, and the residual risk.
- Sign off and record outcomes – Get the approval of the DPO and track the outcomes of the project.
The ICO recommends that controllers use the template for guidance. A controller can fill out the template when starting any major project that involves processing personal data. Additionally, a controller can use the form when making a significant change to a project.
The GDPR designed the DPIA to be flexible and scalable. After completing the DPIA a controller should:
- Integrate the outcomes into the plan
- Keep the plan under review
A DPIA helps a controller identify a high risk of processing personal data that it cannot mitigate. If this happens, a controller must consult its supervisory authority before starting the processing.
Although a DPIA is required for high-risk projects, creating a DPIA is also considered to be a good practice for any large project that requires processing personal data. A well-written DPIA provides a controller with evidence that it has:
- Considered the risks related to the intended data processing
- Met the broader data protection obligations