In Part I of this two-part blog series we will give an introduction to EU GDPR Article 35 – Data Protection Impact Assessment (DPIA) and some best practices for conducting them. In Part II we will summarize the six essential elements of a DPIA program.
Part I: Introduction & Background
As the GDPR compliance deadline of May 25, 2018 grows closer, organizations should have a documented process for conducting PIAs and DPIAs. But before building a DPIA program, it is useful to review what a DPIA is and when it should be conducted.
Data Protection Impact Assessment (DPIA)
A DPIA is designed to help an organization assess the risk associated with data processing activities that may pose a high risk to the rights and freedoms of individuals.
When is a DPIA required?
The GDPR requires that DPIAs shall be conducted before a processing activity that may pose a “high risk” to the rights and freedoms of individuals takes place.
The GDPR does not define the types of processing that are likely to result in such risk. The Article 29 Working Party has, however, provided sample categories of high risk processing which can serve as guidance. The categories include: profiling and predictive processing, automated-decision making that has legal effects, systematic monitoring, the processing of sensitive data, and processing that relies on new technology. One example of high risk processing in the evaluation or scoring category would be conducting credit checks.
While the GDPR does not dictate the specific requirements of how organizations are supposed to conduct DPIAs, it does provide four elements that a DPIA assessment must contain:
1. a systematic description of the processing operations and their purposes;
2. an assessment of the necessity and proportionality;
3. an assessment of the risks; and
4. the measures needed to address the risks.
Data Flow Mapping & Data Inventory
Before creating a DPIA process, it is useful to have a picture of what information your organization has, where those data are located, and how they flow through the organization. With that in mind, it is essential to develop a data inventory, and map the organization’s business process flows or systems.
Use Assessments Appropriate for Processing Risk
Not all systems and processes require the same type of assessment. The type of assessment conducted is dependent on the type of processing activity being assessed, and the privacy and data protection compliance goals of an organization.
To address varying levels of data processing risk and complexity, TrustArc offers the following GDPR-focused solutions:
- Privacy Impact Assessment
- GDPR Standard Data Protection Impact Assessment
- GDPR Legitimate Interest Assessment
- Comprehensive Data Protection Impact Assessment
TrustArc DPIA Solutions are a part of our leading technology platform, and can be augmented by our expert team of consultants to help an organization build a customized DPIA process. For additional guidance on conducting DPIAs, and more information on TrustArc DPIA solution, contact us today.