What is a DPIA and why are they so important?
A Data protection impact assessment (DPIA) is a process that helps organizations identify and minimize risks that result from data processing. DPIAs are usually undertaken when introducing new data processing processes, systems, or technologies.
DPIAs are a legal requirement under the GDPR (General Data Protection Regulation) for data processing that is likely to be ‘high risk’. Failure to carry out a DPIA when required may leave you open to enforcement action. This can include a fine up to 2% of your organization’s annual global turnover or €10 million – whichever is greater.
Regular DPIAs supports the GDPR’s accountability principle, helping organizations demonstrate compliance. Conducting a DPIA can also help increase awareness of privacy and data protection issues within an organization.
When should you conduct a DPIA?
You require a DPIA when data processing is likely to result in a high risk to data subjects. The GDPR says you must conduct a DPIA if you plan to:
- Use systematic and extensive profiling with significant effects
- Process special category or criminal offence data on a large scale, or
- Systematically monitor publicly accessible places on a large scale.
Types of processing where a DPIA is likely to be required:
- A hospital processing its patients’ genetic and health data on its information system.
- The archiving of pseudonymised sensitive data from research projects or clinical trials.
- An organization using an intelligent video analysis system to single out cars and automatically recognize registration plates.
- An organization systematically monitoring its employees’ activities, including their workstations and Internet activity.
- The gathering of public social media data for generating profiles.
- An institution creating a national-level credit rating or fraud database.
The WP29 (Article 29 Working Party), which has now been replaced by the EDPB (European Data Protection Board), was responsible for issuing guidelines and opinions on aspects of the GDPR. Its guidelines on DPIAs set out the criteria that organisations should consider when determining the risks posed by a processing operation. The more criteria are met, the more likely processing is to present a high risk to the rights and freedoms of individuals, and therefore to require a DPIA.
Read the WP29 guidance on DPIAs >>
The key elements of a successful DPIA
A good DPIA helps you demonstrate that you have considered the risks related to your intended processing and met your broader compliance obligations.
The GDPR does not specify a DPIA process to follow. Instead, it allows organizations to use a framework that complements their existing processes.
DPIAs and privacy by design
A DPIA should be conducted as early as possible in the project lifecycle, so that its findings and recommendations can be incorporated into the design of the processing operation.
Known as privacy by design, the embedding of data privacy features in the design of projects can have the following benefits:
- Potential problems are identified at an early stage.
- Addressing problems early will often be easier and cheaper.
- Increased awareness of privacy and data protection across the organization.
- Organizations will be less likely to breach the GDPR.
- Actions are less likely to be privacy intrusive and have a negative impact on individuals.
Who should be involved in conducting a DPIA?
Data controllers are responsible for ensuring the DPIA is carried out. The DPIA should be conducted by those with appropriate expertise and knowledge of the project in question – normally the project team.
The DPIA should be conducted by people with appropriate expertise and knowledge of the project in question, normally the project team.
Under the GDPR, it is necessary for any organisation with a designated DPO (data protection officer) to seek their advice. This advice and the decisions taken should be documented as a part of the DPIA process.