The GDPR: What is a DPIA and should you do something with it
In our list with 10 tips to help you prepare for the GDPR, tip 8 deals with the data protection impact assessment (DPIA), also known as ‘privacy impact assessment’.
The Dutch term is Gegevensbeschermingseffectbeoordeling. Hereinafter we shall deal with this subject matter in more detail.
What is a DPIA?
A DPIA is an examination of the impact specific processing of personal data may have on privacy.
It is an instrument which, prior to the performance of a specific processing, is meant to map what you are actually doing, who has access to what and which risks that processing entails. Based on the outcome of a DPIA measures can then be taken to limit those risks. It is in any case wise to carry out a DPIA at an early stage in a project. This may prevent that afterwards a lot of things will have to be ‘repaired’.
When is a DPIA obligated?
A DPIA is obligated if there is a high-risk bearing processing. This could for example be the case if it is about a large number of data subjects. But also if a lot of personal data per data subject are being processed or if it is about special or sensitive personal data such as medical or financial data. Also the purpose could create a high-risk bearing processing.
The GDPR mentions processing for which in any case a DPIA is obligatory:
- automated and systematic evaluation of personal aspects relating to natural persons, such as profiling, upon which decisions are based that produce effects concerning the natural person;
- large-scale processing of sensitive personal data and personal data relating to criminal convictions and offences.
- large-scale and systematic monitoring of a publicly accessible area (for example camera surveillance).
This is a non-exhaustive list though.
The recently published Guide GDPR of the Ministry of Security and Justice gives a list of 9 criteria, including matching or combining databases and the processing of data of vulnerable data subjects.
If a processing meets two or more of those criteria there is a high risk and a DPIA is then obligated.
A DPIA is for that matter not only relevant in relation to a new processing with a high risk. Carrying out a DPIA on your most important and extensive processing that already exists is also a manner to assess whether your current processes meet the requirements of GDPR.
What should a DPIA consist of?
The DPIA must give a systematic description of the intended processing and the purpose thereof.
If the basis for the processing is a legitimate interest of the controller, this interest must also be explained.
The necessity of the processing must be shown. Apart from that it must be motivated why a less stringent method would not be possible (the proportionality of the processing).
It must be assessed which risks there are for the protection of the data of the data subjects and their rights and freedoms.
Finally it must be decided whether and in what way those risks can be limited.
Should the conclusion be that the risks cannot be limited with reasonable measures, the intended processing must be submitted to the Dutch Data Protection Authority for assessment.
Who carries out a DPIA?
You can have a DPIA carried out by an external party, but also by your own employee(s). A condition of course is that your employees then have sufficient knowledge of the processes, the techniques and the possible risks.
These persons will have to gather information from the organisation in order to obtain an accurate impression of aspects such as the nature of the project, the various stakeholders and data subjects, what kind of personal data will be collected and of whom, for which they will be used and with whom they will be or can be shared, whether the data are going to be further processed, by whom and for what, the company processes and the security.
After that the state of the following, amongst other things, will have to be assessed:
- purpose limitation; the data may be used only for the intended and communicated purpose of the processing;
- data minimisation; no more than what is strictly necessary may be collected;
- grip on the quality of personal data;
- security, technical as well as organisational, across the board;
- disclosure to the data subjects;
- the possibilities for the data subjects to exercise their rights;
- accountability: on all fronts it must be shown that you comply with the GDPR.
What risks play a role at the processing of personal data?
On the basis of the inventory you are going to estimate the impact on the privacy of the data subject, or you will have this estimated by a third party. There is for example a higher risk if it is about personal data that could lead to identity fraud.
A Data Protection Impact Assessment is not one-off.
A DPIA is not a one-off matter. The purport is that the results of a DPIA that has been performed will be evaluated on a regular basis, for example annually, because situations change. There is certainly reason for an evaluation if for example new or other technologies are going to be used.
Position of the Data Protection Officer (DPO)
The DPO is not responsible for carrying out DPIA’s. He does have an advisory and supervisory role though and therefore he must be involved in the DPIA-process timely.