In this article of our Privacy & Data Protection special series, we will talk about Data Protection Impact Assessments (DPIAs), explaining what they are, when they are needed, and how they should be conducted. As always, if you like this content, make sure to follow our LinkedIn page to receive all the updates of our special series!
Even though the General Data Protection Regulation of the European Union has recently completed two years of being in force, there are still several challenges facing those who want to become compliant with it. In many cases, difficulties are found at the very beginning of the process, with organizations not even understanding what is required from them.
This article is part of our Privacy & Data Protection special series, created to provide this much-needed information in an accessible and easy format to organizations. This time, we will talk about Data Protection Impact Assessments (DPIAs), explaining what they are, when they are needed, and how they should be conducted. As always, if you like this content, make sure to follow our LinkedIn page to receive all the updates of our special series!
What is a DPIA? Is it mandatory?
A DPIA stands for Data Protection Impact Assessment, and it is a detailed analysis conducted before an organization begins a new project in which the processing of personal data is likely to involve a high risk to the rights and freedoms of subjects.
The need for this assessment is brought by article 35 of the GDPR. The Regulation, however, is not clear as to which situations would be considered as posing a high risk to subjects. Recital 91 gives additional information about this, explaining that a DPIA is mandatory in cases in which:
- New technologies are used;
- Large amounts of data, especially if sensitive, and from a large number of subjects, are processed;
- Data is processed for the profiling of data subjects;
- Special categories of personal data, such as those that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic, biometric and health data, and information concerning a natural person's sex life or orientation, and criminal convictions and offenses;
- There is systematic monitoring of a publicly accessible place on a large scale;
- If children’s data is being processed.
Note that a DPIA in these cases is mandatory for controllers, but not for processors! The latter, however, can help in conducting the Assessment, upon request and when necessary.
It is also important to emphasize that, even when not mandatory, a DPIA is still a good practice to be adopted by organizations, as it can demonstrate that they are GDPR compliant. The Assessment can be helpful in providing a clearer picture of how personal data is processed in the organization, the potential risks associated with it and measures taken to mitigate them.
What must be described in a Data Protection Assessment?
A DPIA must contain a systematic description of the processing of personal data, including operational details and the purposes and legal basis of said processing. It also needs to demonstrate that the processing is done in a manner proportional and strictly necessary when considering its purposes.
Finally, the organization must assess the potential risks to the rights and freedoms of data subjects, and show how it is going to address them - including putting in place safeguards and other security measures.
What happens when a DPIA is conducted but there is no way to mitigate the risks identified?
The Supervisory Authority of the case will have to be consulted if the organization concludes, after conducting a Data Protection Impact Assessment, that the risks associated with the processing cannot be mitigated.
The Authority will have up to eight weeks to decide on the matter, with an additional six weeks if the case is complex. During the time the decision is pending, the organization must stop the processing of the data likely to result in high risk.
When consulting the Supervisory Authority, controllers should inform:
- Their responsibilities in the processing, as well as that of joint controllers and processors;
- The purposes and means of the intended processing;
- The measures and safeguards provided to protect the rights and freedoms of data subjects;
- The contact details of the Data Protection Officer (if there is one);
- The DPIA in question triggering;
- Any other additional information requested by the Authority.
We know that GDPR compliance is a long journey, but it doesn’t need to be a difficult one. Our Xcure Privacy Management Tool was designed to help you easily map, document and maintain the requirements of the data protection regulation in your organization, and you can try it now for free!
Contact Xcure team, if you want more information or presentation about the Privacy Management Tool.