Data protection impact assessment template and tips

Current state of data protection and privacy legislation

Owing to the increasing importance of data protection, especially from threats such as phishing and ransomware attacks, regulations and statutes have been issued to specify how data should be protected, and in particular, how to conduct a DPIA.

Internationally, the regulation most often cited is the EU GDPR. Similar regulations have been issued in other countries, such as the U.K. and India. The GDPR has specific penalties for noncompliance, so it's not surprising that a DPIA is a GDPR requirement.

While the U.S. currently has no formal national data privacy legislation, at least 15 states have passed legislation that mandates data privacy -- especially for personal and health data. Other legislation, such as HIPAA and the Gramm-Leach-Bliley Act, include sections addressing data protection and privacy.

Importance of a data protection impact assessment

Aside from potential penalties for failing to demonstrate that critical data is being protected, data protection is an important part of an overall data management program. Such a program addresses data storage, data security, data recovery in an emergency and data destruction. Under the umbrella of data security, data protection is a key element.

Considering the different ways data is handled, one can make the argument that unprotected data is at risk of theft, corruption, improper use and other damage. A DPIA is an increasingly important way to ensure that critical data is protected from malware and other threats. Results of a DPIA can identify risks, threats and vulnerabilities in how data is processed, accessed, stored and otherwise used.

Key considerations when preparing for a DPIA

Performing a data protection impact assessment can be a highly complex task and one that is becoming increasingly mandatory in today's IT ecosystems. The following are key considerations:

• Exercise care when analyzing personal data by ensuring the data owner has given permission to examine the data; this protects data confidentiality. Failure to do this might result in litigation.
• Data processing in special categories or relating to criminal offenses must be identified.
• Large-scale geographic areas might be examined for publicly accessible data.
• Concerns over data processing of personally identifiable information (PII) that involves children -- who might be underage and not understand what is happening -- genetic data or biometric data owing to its unique characteristics and potential risk.
• Special processing requirements that need consultation with an appropriate authority might generate a list of processing activities requiring a DPIA.
• The organization charged with examining the DPIA results might specify standards and procedures to perform, verify and audit the DPIA.
• When performing the risk assessment part of the DPIA, evaluate the level of risk associated with the proposed processing and consider both the likelihood and severity of any risk effects on individuals and PII.

What must be included in a DPIA

Each assessment should include, at a minimum, the following content:

• Detailed system-based description of the proposed processing activities.
• Explanation of why such processing is occurring.
• Analysis of the need for and materiality of the proposed processing as aligned with the stated purpose(s).
• Examination of the risks to and effects of the proposed processing on the rights and freedoms of data subjects (e.g., individuals, children).
• Description of how the proposed processing complies with GDPR Article 35.
• Documented evidence of consultation with the organization's data protection officer (DPO), if one is available.

The above items not only demonstrate regulatory compliance, but will be key evidence during any audits of the data management program.

Key steps of a DPIA

IT organizations preparing for a DPIA must also be knowledgeable in performing a risk analysis. The following are recommended steps to perform a DPIA.

1. Identify the need for a DPIA

Ensure the need to process PII is necessary and can be justified. This includes the following:

• Describing the project in which data is to be processed.
• The type of processing planned. For example, collecting data using a specialized device such as a heart monitor that stores data for further analysis and processes it into a heart health report can be considered PII.
• Key considerations described earlier that might require a DPIA.

2. Identify how data is collected and processed

Explain the nature of the planned processing in multiple perspectives, such as the following:

• The goal(s) of the proposed processing.
• The system(s), application(s) and data repository to be used.
• Data source(s).
• What data is to be shared and with whom.
• If data can be deleted.
• Security measures to ensure data privacy.
• How and where data is to be used.
• Geographical scope of the data.
• How individuals whose data is to be processed will respond to their personal data being used.
• Any unusual risks associated with the processing.

3. Consult with the correct parties

Identify and consult with internal and external subject matter experts and stakeholders whose advice will be needed as part of the planning and execution of the processing. This can include anyone managing the data processing and data security experts.

4. Determine the necessity of data processing

Establish the following:

• The relevance of the proposed processing and the goals to be achieved.
• If the processing is needed or if a different type of processing is indicated.
• If the processing is lawful.
• The right amount of data to be processed to achieve the project goals.
• The data to be delivered to individuals.
• Guarantee processing entities perform as planned.

5. Assess the risks associated with data processing

Identify technological, operational, human-based and other risks that could impact processing and decide how to address them. The risk assessment looks at the following:

• The likelihood of damage to the data.
• The severity of the risk if the data is compromised.
• The consequences if the risks aren't mitigated; these can be rated as low, medium or high.

6. Take steps to mitigate risks

Once risks have been identified, assess the following to mitigate or eliminate the risks.

• Ensure the mitigation steps are appropriate.
• Determine if the steps can eliminate all risk or if there might be residual risk that can't be addressed.
• Determine the level of risk acceptance.
• Ensure risk mitigation measure(s) are approved.

7. Record the outcomes of the DPIA

In this final step, organizations must do the following:

• Secure necessary approvals from IT management.

• Finalize the DPIA with signatures of key individuals, such as the DPO and others.
• Document the completed DPIA.

These steps are consistent with good practices and with the GDPR regulations that provide specific requirements for DPIAs.

DPIA templates

To simplify the process and to help launch a DPIA project, consider these two templates:

• This template helps determine if a DPIA is needed.
• This template provides the steps to initiate the DPIA project and is consistent with GDPR Article 35. Software that facilitates the development of DPIAs should also be considered.

How DPIAs are affected by GDPR and other regulations

As noted earlier in this article, the GDPR and other international regulations are very specific about performing a data protection impact analysis. Current legislation in the U.S. mandates the protection, privacy and integrity of PII, but doesn't advocate a DPIA. The American Data Privacy and Protection Act (ADPPA), likely the U.S version of the GDPR, is currently awaiting future action by Congress. More recently, President Biden issued an Executive Order on February 28, 2024, to protect Americans' sensitive personal data. It focuses on PII that might be transferred overseas and might address national security risks.

DPIA implementation tips

If it appears a data protection impact assessment might be needed, the following tips can help in the preparation and completion of a DPIA:

1. Read everything available on DPIAs to become familiar with the process, and study the GDPR and other relevant legislation.
2. Secure senior management approval to proceed with an initial review of the situation and funding for a formal project.
3. Establish a project team, including the DPO if one is available.
4. Develop a formal project plan based on the steps associated with a DPIA.
5. Examine the possible acquisition of DPIA software.
6. In the initial examination, determine if the information needed to complete all parts of a DPIA are available or can be obtained.
7. Identify tools that can help with the risk analysis, including software.
8. Identify potential consultation candidates who can lend their expertise to the assessment.
9. Establish a process to document the DPIA through its various steps.
10. Identify individuals who can approve the completed DPIA.

Paul Kirvan is an independent consultant, IT auditor, technical writer, editor and educator. He has more than 25 years of experience in business continuity, disaster recovery, security, enterprise risk management, telecom and IT auditing.