In Part I of this two-part blog series we will give an introduction to EU GDPR Article 35 – Data Protection Impact Assessment (DPIA) and some best practices for conducting them. In Part II we will summarize the six essential elements of a DPIA program.
Part I: Data Protection Impact Assessment Introduction & Background
The General Data Protection Regulation (GDPR) compliance deadline of May 25, 2018, has passed, so organizations should have a documented process for conducting Privacy Impact Assessment (PIAs) and Data Protection Impact Assessment’s (DPIAs). However, before building a DPIA program, it is useful to review and understand what a DPIA is and when it is needed and how it should be conducted.
What is Data Protection Impact Assessment (DPIA)?
A DPIA is designed to help an organization with risk assessment associated with data processing activities that may pose a threat or high risk to the rights and freedoms of individuals. A privacy impact assessment helps to identify privacy risks during the development of a program life cycle. A PIA outlines how personal information will be handled and secured to maintain privacy.
When is a DPIA required?
The GDPR requires that DPIAs shall be conducted before a processing activity takes place that may pose a “high risk” to the rights and freedoms of individuals.
The GDPR does not define the types of processing that are likely to result in such a risk. The Article 29 Working Party has, however, provided sample categories of high-risk processing which can serve as a guide. The categories include profiling and predictive processing, automated-decision making that has legal effects, systematic monitoring, the processing of sensitive data, and processing that relies on new technology. One example of high-risk processing in the evaluation or scoring category would be conducting credit checks.
While the GDPR does not dictate the specific requirements of how organizations are supposed to conduct DPIAs, it does provide four elements that a DPIA assessment must contain:
- a systematic description of the processing operations and their purposes;
- an assessment of the necessity and proportionality;
- an assessment of the risks; and
- the measures needed to address the risks.
Benefits of privacy by design or embedding data privacy features early in design:
- Early identification of potential threats and problems.
- Early reduction of problems can save time and money.
- Increased privacy and data protection across the organization.
- GDPR compliancy.
DPIA Best Practices
Data Flow Mapping & Data Inventory
Before creating a DPIA process, it is useful to have a picture of what information your organization has, where the data is located, and how it flows through the organization. With that in mind, it is essential to develop a data inventory and map the organization’s business process flows or systems.
Use Assessments Appropriate for Processing Risk
Not all systems and processes require the same type of assessment. The type of assessment conducted is dependent on the type of processing activity assessed, and the privacy and data protection compliance goals of an organization.
To address varying levels of data processing risk and complexity, TrustArc offers the following GDPR-focused solutions:
- Privacy Impact Assessment
- GDPR Standard Data Protection Impact Assessment
- GDPR Legitimate Interest Assessment
- Comprehensive Data Protection Impact Assessment
Personal data processing where a DPIA is likely required:
- Hospital processing -patients’ genetic and health data.
- Personal sensitive data from research projects or clinical trials.
- An organization using an intelligent video analysis system to single out cars and automatically recognize registration plates.
- An organization that monitors publicly accessible areas via CCTV, body-devices, CCTV.
- Companies that monitor employees’ activities, including their workstations and Internet activity.
- Gathering of public social media data for generating profiles.
- Institutions that create national-level credit rating or fraud databases.
- Organizations that process large-scale special categories of data (e.g. health, religion or ethnic origin)
- Legal processing of personal data relating to criminal convictions and offenses.
- Evaluation of personal data based on automated decisions such as a denial of online credit applications or e-recruiting without a human based decision.
Who should conduct a DPIA?
A designated data controller, data protection officer, or someone with data protection knowledge and expertise should be responsible for the DPIA. If that does not apply to your organization, you should think about bringing in TrustArc GDPR, DPIA and PIA Consulting Solutions.
TrustArc DPIA Solutions are a part of our leading technology platform and can be augmented by our expert team of consultants to help build a customized DPIA process. For additional guidance on conducting DPIAs and more information on TrustArc DPIA solution, contact us today.