Data Protection Impact Assessments (DPIAs) are mandatory for certain situations, and a great tool for understanding and assessing risk. But if you’ve done one, you also know that it can be quite time consuming, and there really are no shortcuts to doing it right.
This means you have to be prepared to spend adequate time on doing DPIAs properly. But it also means, you have to be cautious not doing too many of them.
One way to make it easier for your colleagues to contribute, and ensure your time is spent on what really matters, is using DPIA pre assessments.
A DPIA pre assessment is used to assess if a full DPIA is appropriate. It takes far less time and effort to complete (you choose what questions go in there of course!), and is easier for anyone from the business side to complete.
Many of our more mature customers establish a process where the business completes a DPIA pre assessment when they are considering starting a new project, campaign or otherwise intend to change the processing of personal data. Easy and quick for them to share details with the privacy team, and easy for the privacy team to decide if further actions, such as a full DPIA, is necessary.
Below is our template available to all customers in DPOrganizer. Easy to use as is, easy to customize in whatever way you prefer, and easy to make available for your colleagues; let DPOrganizer send out the questionnaire, or post a link to it somewhere your colleagues can access it, and you’ll be notified whenever a new submission is made!
We hope this can serve as inspiration for building a better process internally!
DPIA pre assessment
1. Describe the processing activity
Describe the project/activity, including nature and purpose, who and what it involves and if possible, a timeline for start and completion.
This is a very general template, and in some cases our customers will have different templates for different departments or types of projects or changes, like new marketing campaigns, onboarding new vendors, new partnerships etc.
2. Will personal data be processed?
Personal data is any data that by itself or in combination with other data can identify a person.
Depending on who the reader is, you might want to have even more information about what may constitute personal data, or if you’re using DPOrganizer’s tool you could include videos and images etc to make the experience even more vivid.
3. Which of the following risk indicators are applicable for the relevant processing activities?
Select all options that apply to what will be done within the planned or existing activity.
Processing personal data on a large scale is applicable if
– the number of data subjects concerned, either as a specific number or as a proportion of the relevant population is high,
– the volume of data and/or the range of different data items being processed is large,
– the duration, or permanence, of the data processing activity is long, or
– the geographical extent of the processing activity is large.
Special category personal data is defined as racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. It may also be genetic data, biometric data when processed for the purpose of uniquely identifying a person, or data concerning health or data concerning an individuals’ sex life or sexual orientation.
Vulnerable data subjects refer to people (whose personal data is processed) who may be unable to consent or oppose the processing of their data, or to exercise their rights. Children, employees, mentally ill individuals, asylum seekers, or the elderly or patients are examples of people who may be considered vulnerable data subjects.
Processing special categories of personal data or other highly personal data such as criminal convictions
Processing personal data about vulnerable data subjects
Matching or combining different sets of personal data
Evaluating or scoring data subjects, including profiling or predicting behaviour
Making automated decisions about data subjects without human action that would have a legal impact on the data subject or significantly impact the data subject
Systematically monitoring to observe or control data subjects
Preventing data subjects from exercising a right or using a service
Use new technical capability that the organisation has not used before
Transfer of personal data to third countries
None of these
Again, depending on who the readers are, their attention span and level of experience, you might want to tweak the text.
You can also assign different risks levels to response alternatives. This way you can directly see which submissions seem to concern more risk than others, which helps you prioritise.
4. What risk is at hand for individuals whose personal data may be processed?
Indicate the risk level that is applicable in your opinion. Consider the negative effects that people may suffer if an incident occurs and their data is lost, altered or accessed by unauthorised parties.
Irrelevant question if the person responding is not a privacy expert? Just helping people consider privacy risks is often a good way to build culture and prevent problems.
5. Is the processing activity listed by a relevant supervisory authority as an activity where a Data Protection Impact Assessment always should be done?
Many supervisory authorities have produced lists of processing activities that always require Data Protection Impact Assessments. More information may be available on the website of your supervisory authority.
6. Has a Data Protection Impact Assessment already been conducted for the relevant processing activity?
If a Data Protection Impact Assessment has already been conducted, a new one may not be necessary.