What is a Data Protection Impact Assessment?
A DPIA is a Data Protection Impact Assessment. It’s an assessment of the likely impact on data subjects (individual) and their rights regarding privacy and freedom to conduct business. The goal: To identify what measures might be needed for compliance with GDPR or equivalent legislation elsewhere in the world before beginning a new process involving personal data that will make it clear how that individual’s right is affected by this project.
DPIA means Data Protection Impact Assessment. UK ICO (Information Commissioner Officer) defines the DPIA as “a process to help identify and minimise the data protection risks of a project.”
For technical assessment of how data protection techniques are in use, whether sensitive information is stored using relevant encryption measures or in clear-text, you should refer to our specific offering:
Data protection impact assessment (DPIA) provisions a systematic and comprehensive examination of personal data processing on a broad level. It enables the organisation to diminish the data privacy risk by determining the personal information usability and technology to process the data. Although the data protection impact assessment does not wipe out all of the risks, it considerably helps document. It mitigates them by accessing the likelihood and impact on the individuals’ personal data processing, freedom and rights.
Why is DPIA Required?
Data protection impact assessment is a legal requirement and essential to conduct data processing that imposes high risks on individual personal information.
DPIA GDPR meaning an assessment is required when there is:
- a systematic and extensive evaluation of the personal aspects of an individual, including profiling
- processing of sensitive data on a large scale
- systematic monitoring of public areas on a large scale
Other factors of the high-risk processing where DPIA is required may include:
- Evaluation or scoring.
- Automated decision-making with legal or similarly significant effect.
- Systematic monitoring.
- Sensitive data or data of a highly personal nature.
- Data processed on a large scale.
- Matching or combining datasets.
- Data concerning vulnerable data subjects.
- Innovative use or applying new technological or organisational solutions.
- Preventing data subjects from exercising a right or using a service or contract
It is essential to include DPIA into the organisation data processing to avoid penalties and fines that go up to 2% of the organisation’s annual global turnover or €10 million in case of a breach. Some organisations opt for PIA (Privacy Impact Assessments) or DPIA, depending upon the specific requirements.
Are protection impact assessments mandatory under GDPR?
Previously, DPIA was acknowledged as a best practice by the ICO to maintain data processing privacy and data subject rights. However, with the new UK GDPR, the Data Protection Impact Assessments have been described as a mandatory assessment requirement for high risk processing activities.
When is DPIA required?
It would help if you did a DPIA where data processing is likely to result in high risk. Refer to our data protection impact assessment methodology in this article to know further how to decide and assess the subject risk.
When is a data protection impact assessment not required?
A DPIA is not mandatory if a data processing operation involves only one of the criteria. If there is a doubt or it is difficult to determine a high risk, a DPIA is recommended at the least every three years.
How do you know if you need to complete a DPIA?
Although data protection impact assessment is not necessary for all types of data processing except those involving sensitive data, vulnerable individuals, services access, profiling, and monitoring at a large scale, however, it is good to embed data protection impact assessment and carry out the DPIA screening exercise wherever personal data is processed.
To carry off the screening exercise, you can determine the necessity of data protection impact assessment with the help of data protection officers, stakeholders, or yourself by undertaking the following project screening questionnaire provided as a screening template guideline.
The DPIA checklist requires answers to the following questions:
- Will the project involve the collection of new information about individuals?
- Will the project require individuals to provide information about themselves?
- Will information about individuals be shared with organisations or people who have not previously had routine access to the information?
- Will the project use information about individuals for a purpose it is not currently used for, or in a way it is not currently used?
- Does the project involve you using new technology that might be perceived as being privacy-intrusive? For example, the use of biometrics or facial recognition.
- Will the project result in you making decisions or treating individuals in ways that can significantly impact them?
- Is the information about individuals likely to raise privacy concerns or expectations, such as health records or information that people consider to be particularly private?
- Will the project require contact with individuals in ways they may find intrusive, for example, unexpected telephone calls?
- Will the project use personal data, including personal data obtained from live or operational systems, for access or transfer outside the UK (e.g., Cloud, Hybrid or offshore support purposes)?
- Will the project involve processing special category personal data?
When should a data protection impact assessment (DPIA) be conducted?
DPIA is not a one-time assessment but an ongoing process that must be carried out whenever any data processing concerns are observed in a project or performance task that could affect individual rights and freedom. There may be a situation where you carried out similar processing operations that could appear in various risks. It is essential to carry out a single DPIA to address all processing operations in such situations.
Besides this, before going for DPIA, it is more beneficial to do the DPIA screening exercise mentioned above. If you find any of the screening answers positive, you must conduct DPIA.
How do you carry out a data protection impact assessment?
There is no particular method defined by the UK GDPR legislation to carry out a DPIA. Instead, it is described through some processes incorporated into the project’s existing risk management approaches. It is suggested by the legislation to involve the data protection officer or other stakeholders with the project team or controller before conducting or designing a flexible and scalable DPIA process. Our DPIA checklist is based on data protection impact assessment guidance from ICO.
Data Protection Impact Assessment methodology
The following DPIA checklist includes our data protection impact assessment methodology to help you design a DPIA process flow.
1 Identify the need for DPIA
As said above, DPIA is required for data prone to a high risk of individual rights and freedoms, and it is possible that every type of processing might not trigger any danger or threat. In the DPIA process, you must identify the nature of your data. It can be done by carrying out DPIA screening or considering the three things involved in the data processing.
- Systematic and Extensive Evaluation
- Large-scale use of sensitive data
- Public monitoring
If your data falls for any of the mentioned areas, you must carry out the data protection assessment, and if you feel the processed data is not prone to risk, you must explain and defend the reason. Whether you conduct DPIA or not, you have to document the judgment for all.
2 Describe the processing
Once you identify the need for DPIA, you must explain why you need to process the data and do the data processing. By assessing the requirements, you will have a clearer picture to hold the protection impact assessment. In this stage, you must study the nature, scope, context and purpose of the processing and outline them to avoid future hassle.
While defining the nature of data processing, you should answer and highlight the following points.
- How will the data be collected and stored?
- Who will have access to data?
- How long will the data be processed or stored?
- Whether data needs any processing or not?
- How will data security and privacy be incorporated?
- What type of technology will be involved in the processing? Etc.
While defining the data processing scope, examine the following
- What is the nature of personal data?
- What is the volume of data?
- Is there a different variety of data?
- Does the data contain any sensitive information?
- What will be the duration of processing?
- Where the processing will take place, and what geographical region personal data belongs to?
- Several individuals data involved in the processing?
Describing the context powerfully helps analyse the internal and external factors that may influence the risk associated with data processing. While defining the context, always investigate the following.
- What is the data source?
- Define the controls and rights for the data subject?
- What are the data subjects’ expectations with the processing?
- What are the controls data subjects will have over their data?
- Whether or not data collection and processing involves children or vulnerable individuals?
- What will be the relationship between the data controller and individuals?
- Are there any issues for individuals data with public concerns?
- What is the advancement in technologies or security of data processing?
Here, the controllers must demonstrate why they want to process the personal data by documenting the following.
- What are their legitimate interest (if relevant)
- How will the processing outcome complement the data subject’s intention and expectations?
- What are the benefits of data processing for the controller or society as a whole?
3 Consider consultation
Wherever your project or task requires the process of existing or new individual data, you must consult with individuals to understand their expectations, views, and opinions about the processing and consult with the data protection officer and stakeholders to design the DPIA process.
Nonetheless, there will be some cases where the individual consultation would not require you, for instance, where there is some commercial sensitivity or undermines the security process. In such cases, you must document and justify your decision clearly in your DPIA.
Similarly, if after consultation, your DPIA decision goes against the subject issue and you still need to process the personal data, you must document your analysis for disregarding the subject’s views in your DPIA.
4 Assess necessity and proportionality
At this step of your DPIA, as the controller and project team, it is your responsibility to assess your processing requirement and analyse whether the data processing is essential to perform for the selected task or is it possible to achieve the result without entire processing of personal data?
In the same instance, the controller is responsible for checking the data processing proportionality by correlating the processing requirement of the proposed task to the GDPR law. At this point, the DPIA must include the legal justification and measure to verify the necessity and proportionality by checking the following.
- What will be the lawful basis for the data processing?
- How does the data processing process fulfil the individual’s rights mentioned by the GDPR?
- What is the critical measure that must be considered to process the personal data?
- How will the data quality, minimisation and privacy be maintained?
- What requirements will be there for the data processor to comply with?
- How will the organisation maintain privacy throughout the process?
5 Identify and assess the risk
This is the stage that requires a considerable assessment based on the previous findings of DPIA. In particular, to assess the risk and impact, the controller needs to consider the potential damage or threat that could impose risk on the personal data processing. This includes the risk of identity theft, lack of control over personal data, lack of individual data rights, reputational damage in breaches, financial loss, lack of CIA (Confidentiality, Integrity and Availability), missing data controls, etc.
To assess the impact of risk, it is recommended by ICO to have a risk matrix in place to consider the likelihood and severity of the possible harm on the processing. Based on your corporate status, stability and risk matrix result, you can decide and establish criteria to accept, tolerate or mitigate the risk.
6 Identify measures to mitigate the risk
Once the risk is assessed, it is time to minimise the risk by considering appropriate measures and controls for data processing and individual’s privacy. The mitigation plan varies from organisations and their nature of processes and procedures. However, in DPIA, it is suggested to take into account the cost and measure associated with each personal data and processing requirements to reduce the risk, which includes
- Training of processors and staffs to ensure risk management
- Avoiding the storage and sharing of the sensitive types of data
- Advanced technologies of strict security measures for data protection
- Reduction in time of data storage.
7 Sign off and record the outcome
Now, the risk is identified, and the mitigation plan is ready. It is time for you to conclude the data protection impact assessment and implement the plan to remediate all the risks identified during the evaluation.
Sometimes, it is not possible to eliminate all of the risks, in such cases, you have to consider the risk to reduce it to an acceptable level, but in the latter instance, if you have high risk and mitigation is not possible, you have to consult your data protection officer to proceed with the processing.
Without the need to rediscover the wheel, there are many good examples from the industry around how you can record your DPIA process and outcome.
ICO DPIA Template
You should download the official ICO DPIA template:
DPIA template in docx format is available for download here:
The more proactive you are towards data protection and privacy, the more trust and reliability you will gain from your customers and users. For business growth, adherence to compliance is necessary, and no one should neglect it. In the ever-evolving digital landscape, businesses’ cyber health and security are crucial to consider. They must be aware of the impact of data they process and control to run their business. In this case, data protection impact assessment guidance is the reference should you need further clarity and stronghold on the subject.
With dedicated assessments such as data protection impact assessments, organisations can reduce the chances of privacy loss and prepare themselves to combat risk with privacy-driven approaches and suitable risk management plans. Get in touch with the cyphere to discuss compliance requirements and challenges around data protection and its impact on processing.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.