Dec 20

Conducting Data Protection Impact Assessments (DPIAs)

Conducting Data Protection Impact Assessments (DPIAs)

  • December 20, 2023 -

Introduction

A Data Protection Impact Assessment, or DPIA, is a process of risk assessment that data controllers conduct to identify, analyze, and minimize the privacy risks concerning the collection, processing, storage, sharing or otherwise processing of personal data. DPIAs focus on:

  • Understanding the potential impact of data processing activities on individuals’ privacy at an individual and large scale;
  • Compliance with data protection regulations, such as the GDPR.

In simple words, from the GDPR standpoint, the main goal of a DPIA is to assess whether a particular project, system, or technology poses a high risk to the rights and freedoms of natural persons. DPIAs help organizations make informed decisions about the design and implementation of data processing activities, select the proper technical and organizational measures to ensure data security, reduce the risk of non-compliance and avoid significant fines and mistrust from regulatory authorities and the general public.

Pre-DPIA considerations

Carrying out a pre-assessment DPIA is a preliminary step that allows to assess if a full-scale DPIA is needed. Pre-DPIA also helps to assess the potential data protection and privacy risks, consider the necessity and proportionality of the data processing operations planned, and organize necessary safeguards in the early stages of the project. 

Before conducting a full-scale DPIA, you are also strongly encouraged to consult the Guidelines provided by the Working Party 29 (predecessor of the European Data Protection Board) to make sure you are doing the right things.

You should also check if supervisory authorities in your country have published any additional guidelines and/or assessment tools to be used when conducting a DPIA. If yes, make sure you also factor them in.

Finally, while Article 35(3) of the GDPR contains a non-exhaustive list of cases when a DPIA is required, the supervisory authorities in your country may also establish and make public a list of the kind of processing operations for which DPIA is required or, vice versa, not required. So you should consult that list before making a decision to conduct a full-scale DPIA.

Considerations when conducting a DPIA

From the GDPR standpoint, there are several considerations to have in mind when conducting a full-scale DPIA:

  • If you have a Data Protection Officer (DPO), you should seek his/her advice;
  • Do not forget to consult Article 35(7) of the GDPR to include in your DPIA report all the required pieces of information;
  • When assessing the impact of the processing operations, do not forget to take into account compliance with relevant codes of conduct;
  • Where appropriate, you should also seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations. If you decide not to do this, you should also document the reasons why you think that seeking the views of data subjects would not be appropriate.

Important to note that risks you identified during a DPIA exercise may surely change over time. When this happens, you should carry out a review of the DPIA you previously conducted to ensure that the assessment is still valid and up-to-date. 

Consultation with supervisory authorities under the GDPR.

As mentioned above, from the GDPR standpoint, a DPIA is required when a processing operation is likely to result in a high risk to the rights and freedoms of natural person. It is the responsibility of the data controller to assess the risks to the rights and freedoms of data subjects and to identify the measures envisaged to reduce those risks to an acceptable level and to demonstrate compliance with the GDPR. 

If the risks have been considered as sufficiently reduced by the data controller, the processing can proceed without consultation with the supervisory authority. 

In cases where the identified risks cannot be sufficiently addressed (i.e. the residual risks remain high), the data controller must consult the supervisory authority.

Examples of an unacceptable high residual risk include instances where the data subjects may encounter significant, or even irreversible, consequences, which they may not overcome (e.g.: an illegitimate access to data leading to a threat on the life of the data subjects, a layoff, a financial jeopardy) and/or when it seems obvious that the risk will occur (e.g.: by not being able to reduce the number of people accessing the data because of its sharing, use or distribution modes, or when a well-known vulnerability is not patched).

So, in the scenarios described above you should make sure that supervisory authorities are duly consulted.

***

Conducting a DPIA that also ticks all the legal boxes is tough. It’s a tricky process, but by teaming up with DPOrganizer, you are putting your DPIAs in the hands of experts who know how to pull together a top-notch assessment report of the processing activities you undertake.

DPOrganizer’s comprehensive software and services are here to lift your privacy program to a whole new level. Get started now!

See more related posts »

Related blog posts

Freshen Up Your Data!
  • April 16, 2024 -

Managing Privacy in a Multinational Environment: Lessons from the Field
  • January 17, 2024 -

Data Protection Practices in an AI Era and Ethical Guidelines
  • January 10, 2024 -