Data protection impact assessment tips and templates

Elements of a DPIA

GDPR Article 35 specifies the requirement to perform a DPIA but provides no guidance on how to conduct one. As such, many different interpretations on planning and conducting DPIAs have been developed by EU member nations, as well as independent vendors and consultancy firms.

EU member nations are required to have an organization in place to administer and coordinate GDPR regulations within their borders. In the U.K., for example, the Information Commissioner's Office (ICO) coordinates all GDPR compliance activities and serves as an important resource for organizations outside the U.K. and for other EU members. Organizations in the U.S. that have an EU connection are advised to contact the relevant coordinating agency in the nation(s) that may be affected.

A DPIA is required in situations where:

• a comprehensive analysis is desired of data associated with individuals that is based on automated processing -- for example, profiling -- that results in legal decisions and/or actions concerning the individual(s);
• processing of data is desired in special categories or relating to criminal offenses;
• a large-scale geographic area is examined for publicly accessible data;
• examination of data involving children, genetic data or biometric data is desired; or
• additional processing requirements are identified that need consultation with a supervisory authority that may publicize a list of processing operations requiring a DPIA.

DPIAs must include the following:

• a detailed system-based description of the proposed processing activities along with the purpose of such processing;
• an analysis of the need and materiality of the proposed processing as aligned with the stated purpose(s);
• an examination of the risks to and effects of the proposed processing on the rights and freedoms of data subjects;
• detailed actions for the proposed processing that demonstrate compliance with GDPR Article 35, acknowledging the rights and appropriate interests of data subjects; and
• evidence of consultation with the organization's data privacy/protection officer (DPO).

Additional considerations include the following:

• The EU member's GDPR coordinating agency may expand DPIA requirements, such as scalability, auditability and verification, and may also specify actions to be taken by subject matter experts.
• The coordinating agency may specify standards and procedures for performing, verifying and auditing the DPIA.
• If a change in risk is identified by the processing entity, the entity's controller may confirm that the processing of personal data is still performed in compliance with the DPIA.
• When assessing the level of risk associated with the proposed processing, consider both the likelihood and severity of any effects on individuals and PII.
• Identifying a high-risk situation that cannot be suitably mitigated may necessitate contacting the coordinating agency -- for example, the U.K. ICO -- in the relevant EU nation(s) before processing commences.

Data protection impact assessment templates

Preparing a DPIA may seem like a daunting task. Use these two templates to determine 1) if there is a bona fide reason to prepare a DPIA and, if so, 2) the information that needs to be gathered for the DPIA.

Note, these templates are based on guidance provided in GDPR Article 35 and are adapted from content and guidance developed by the ICO.

Conducting a data protection impact analysis

Companies should organize and conduct a DPIA before commencing any data processing activities. It is best to perform the DPIA during the planning stages of the proposed processing. A key player for DPIA consultation is the DPO, along with other relevant stakeholders.

Next, use a template -- such as the ones associated with this article -- to help guide you through the process of determining whether the proposed data processing activity requires a DPIA. The template will ask questions to help organizations understand the scope of the data processing and determine what is needed to protect the data in the course of actual processing.

The following steps are recommended when performing a DPIA:

1. Identify the need for a DPIA. Ensure the need for processing PII is necessary and can be justified.
2. Describe the proposed data processing. Explain the processing in technical terms, for example, the system(s), application(s) and data repository to be used, as well as security measures to ensure data privacy.
3. Identify consultation to be secured. Indicate internal and external subject matter experts whose advice will be needed as part of the planning and execution of the processing.
4. Assess the necessity and materiality of the processing. Determine the relevance of the proposed processing and the aims and objectives to be achieved.
5. Identify and assess processing risks. Identify technology, operational, human-based and other risks that could affect successful processing.
6. Identify mitigation activities to address the identified risk. Once risks have been identified, assess remedies to mitigate or eliminate the risks.
7. Obtain approvals. Secure necessary approvals from IT management, including the DPO.

The templates in this article will help facilitate the information-gathering needed to complete a DPIA. They can also be used by auditors to examine the data, the DPIA and, in turn, the proposed processing. Completion of a DPIA, as noted earlier, is also an important benchmark for compliance with GDPR.

Organizations that fail to comply with GDPR requirements risk severe penalties, including fines of up to 20 million euros or 4% of annual revenue, whichever is higher. Such penalties for not performing a DPIA are likely to be assessed by the EU nation's GDPR coordinating agency.