What Are Data Protection Impact Assessments in GDPR?
The General Data Protection Regulation (GDPR) has fundamentally changed how organizations do business in the European Union. It isn’t enough to undergo audits or meet arbitrary security requirements. Like many high-stakes security contexts, GDPR requires a company to dedicate significant time to maintaining data privacy, cybersecurity and consumer rights.
To help address high-risk data processing situations, GDPR may require your business to complete a Data Protection Impact Assessment or a DPIA. For many companies, these are not optional so we will cover the details in this article.
What Is a Data Protection Impact Assessment?
Article 35 of GDPR states that:
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
According to this section of GDPR, businesses must conduct self-assessments on systems when high-risk data processing occurs. These reports are part of a process by which an organization identifies risks associated with processing sensitive information and minimizes that risk in compliance with GDPR.
Businesses must do this before any processing, and the assessment must demonstrate how the new processing operations may, or will, impact data privacy laws.
The law itself isn’t specific, which can make interpreting it difficult. However, there are a few clear examples where a DPIA may be called for:
- Implementing New Technologies: If your organization is implementing new network, processing or collection technologies, you will most likely need to conduct a DPIA to show that the technology isn’t (or the implementation of that technology) won’t compromise data privacy.
- Processing Highly-Sensitive Data: Some pieces of information, like racial or ethnic origin, location, political orientation, sexual preference, genetic data, biometric information, personal health information, are considered “personal” in the sense that they require different standards. This also includes tracking online behavior.
- Attending to Potentially Harmful Situations: If a breach of privacy for given data could result in personal harm of the consumer, including physical harm, then a DPIA is most likely called for.
- Monitoring Public Spaces: If you collect data to monitor public online spaces on large scales, you will most likely need to complete a self-assessment.
- Automatically Collecting Legal Data: If your systems are collecting data automatically, and this information has a legal bearing on the consumer, additional assessments may be required.
Furthermore, most systems and processing operations in place before May 25, 2018 (the data when GDPR went into effect) are exempt from this, except for incidents where significant technology changes occurred after May 25, 2018, where risk levels have changed outside of the technology and where legal or social contexts for processing activities have changed.
EU legal authorities provide a full list of criteria and evaluations.
Why Should I Conduct a DPIA?
Alongside demonstrating compliance with GDPR law, a DPIA also provides several benefits for an organization associated with risk assessment and mitigation.
Some of these benefits include:
- Planning Data Processing Around Risk Assessments: Risk management is a critical tool in many cybersecurity and compliance tool belts, due in no small part to how it helps organizations gain comprehensive understandings of their vulnerabilities and security gaps. A DPIA can serve as a highly-specialized risk assessment over critical GDPR-related systems.
- Reducing Overall Risk: DPIA will help with GDPR-specific risk and provide a starting point for overall risk management. More information is always a good thing, and a DPIA can serve as the cornerstone for focused, strategic risk management.
- Optimizing Project Cost: A DPIA is a picture of your systems and vulnerabilities. With such a plan on hand, you can count on having a much clearer picture of how sensitive information moves across your organization–which means streamlining security, design and assessments in the future.
- Frontload Data Privacy and Security: With a DPIA, your organization is required to place privacy and security at the forefront of system design, and this will inevitably extend beyond the assessed systems to the wider interconnections.
What Goes Into Conducting a DPIA?
A DPIA report must include a minimum set of features. These features include:
- A complete description of the operations and processes under assessment, including the intended purposes of these operations. This should also include mapping information flows to and from the technology under evaluation. If that information falls under categories that may require DPIA, anywhere it flows could be subject to the DPIA.
- An assessment of the necessity of the processing–essentially, a justification for the mechanics and scope of the processing.
- A risk assessment of the processing activities compared against GDPR regulations and the rights of consumers.
- A plan to address security and compliance gaps from which risks emerge and how these plans align the processing operations with GDPR compliance. This should include an understanding of modern and compliant data protection solutions and justifications for addressing the situation and contributing to compliance more broadly.
Furthermore, an organization with a Data Protection Officer (either internal or associated with an external consultant) must consult with that DPO to assess data practices within the organization. DPOs are a requirement under GDPR for organizations in specific contexts, such as:
- Public bodies carrying out data processing
- Organizations conducting large-scale and regular monitoring of consumers
- Organizations processing special categories of data outlined in Articles 9 and 10 of GDPR
Any consultation with a DPO must be documented as part of the DPIA.
Finally, suppose your organization conducts a DPIA and can address all compliance issues with updated or compliant technology. In that case, they are not required to consult with the office of the Data Protection Commissioner. However, if the organization cannot correct the issues, consultation with the DPC will be required.
Prepare for GDPR and DPIA Procedures with Lazarus Alliance
Lazarus Alliance has specialized in compliance audits and risk assessments for over a decade. Our experience in rigorous compliance frameworks like HIPAA, GDPR, FedRAMP and NIST guidelines have prepared us to serve our clients. Furthermore, our experience with risk management, including the Risk Management Framework (RMF) allows us to assist our clients in complex compliance issues related to implementing risk management programs.
Are You Ready to Pursue GDPR Compliance?
Call Lazarus Alliance at 1-888-896-7580 or fill out this form.