What is a data protection impact assessment (DPIA)?
A data protection impact assessment (DPIA) is a process designed to help organizations determine how data processing systems, procedures or technologies affect individuals' privacy and eliminate any risks that might violate compliance. Conducting data protection impact assessments is a key requirement under the European Union's General Data Protection Regulation (GDPR), enacted in May 2018, that introduced a mandate for companies to perform DPIAs before carrying out types of data processing resulting in high risks to individuals' rights and freedoms.
The GDPR requires a DPIA when a company begins a new project that is likely to pose a high risk to people's personal information. Organizations that fail to conduct a DPIA could face penalties, including a fine up to 2% of the company's annual global revenue or 10 million euros, whichever is greater.
Situations that require a DPIA
Examples in which a DPIA should be conducted might include the following:
- A bank screening its customers against a credit reference database.
- A hospital planning to implement a new health information database with patients' health data.
- A bus operator getting ready to implement on-board cameras to monitor drivers' and passengers' behavior.
However, a DPIA would not be required for community doctors processing the personal data of their patients when the processing is not on a large scale and the number of patients is limited. When it is unclear whether a DPIA is required, the assessment might still be carried out because it is a useful tool to help organizations comply with data protection law.
Purpose of a DPIA
Many legal experts consider conducting DPIAs to be one of the most important parts of the GDPR, which is focused overall on giving individuals better control over their personal data and establishing uniform data protection rules across Europe. Although the GDPR applies specifically to the European Union, many companies that are based outside the EU but that do business globally are employing the GDPR's terms, including requirements for DPIAs, worldwide.
According to the GDPR, a DPIA is the responsibility of the "controller," which refers to the company or organization that determines the purposes and methods of processing data. For example, a bank that outsources the processing of data to a service provider is liable for complying with the GDPR and completing the DPIA when necessary.
According to the European Commission, the EU's legislative arm, a DPIA is mandatory at a minimum in these following instances:
- An extensive, systematic evaluation of the personal aspects of an individual, including profiling.
- The processing of sensitive data on a large scale.
- The systematic monitoring of public areas on a large scale.
What to include in a DPIA
The GDPR does not outline a precise format for a DPIA so that organizations can create one that complements their practices and fits frameworks already in place. However, a few basic steps may include the following:
- Identify a data processing operation that might have high risk of affecting an individual's rights and freedom.
- Chart the flow of information during the process, including collection, storage, use and deletion.
- List any threats or vulnerabilities to personal data collection.
- For each risk, evaluate how to reduce the impact.
- Record the outcomes of the DPIA in a report that is signed by executives.
- Use the report to ensure the project plan is following guidelines and that risks have been mitigated.
Many companies are already familiar with the use of privacy impact assessments to identify and assess privacy risks throughout the development life cycle of a data processing program or system. Organizations that employ privacy impact assessments must review their processes to make sure they comply with GDPR requirements.
While organizations should conduct DPIAs before undertaking data processing programs, the assessments should be ongoing. Additionally, DPIAs should take into account compliance risks as well as broader risks to the individual's privacy such as the potential for social or economic disadvantage. Although a DPIA does not have to indicate that all risks have been eliminated, it should help companies document them and assess whether any remaining risks are justified.