Complete Guide to conducting Data Protection Impact Assessment (DPIA)

Table of Contents

Introduction

This article is in the Brain On Security Series, and the topic is Data Privacy Impact Assessment (DPIA)

There are three reasons why I chose Data Privacy Impact Assessment (DPIA) for the first deep dive article in the Brain On Security Series.

  1. It’s October 24, 2021, Wednesday afternoon, and I am panicking because I decided to publish h an article weekly on Wednesday.
  2. I needed to carry out DPIA for an organisation, and I had to do a deep dive for my understanding.
  3. I have purchased CDPSE from ISACA Website, and I have to book the exam date asap.

This article aims to help you prepare and conduct Data Protection Impact Assessments (DPIA).

What is Data Privacy Impact Assessment (DPIA)?

To understand DPIA, you must understand the General Data Protection Regulation (GDPR). To help you visualise, I have created the following mind map.

GDPR has 11 Chapters. Each chapter is sub-divided into sections and articles. There are overall 99 Articles in GDPR spanning 11 chapters. The link to the original GDPR is here.

In GDPR, Chapter 4, Section 3, Article 35. defines DPIA as below:

Simply put, “DPIA is an assessment of the impact of the envisaged processing operations on the protection of personal data.”

Why do we need to carry out DPIA?

The intention of carrying out DPIA is to ensure that the personal information collected is used only for the intended purpose. It identifies the impact(s) that any process or system change has on the organisation that complies with its privacy policy and applicable privacy laws and regulations.

What is the Purpose of DPIA?

The purpose of DPIA is to validate the proposed change from a privacy perspective to ensure that the privacy process, product or project has been well-designed privacy and security by design and that the impact on privacy is neutral or positive.

What is PIA?

PIA is a targeted risk assessment undertaken to identify impacts on individual privacy and impact on an organisation’s ability to protect information resulting from a proposed change to a business process or information system.

What’s the difference between PIA and DPIA?

Short Answer: PIA is a term that existed before but wasn’t very known. In short, GDPR coined the term DPIA and made it widely known.

Long Answer: Until General Data Protection Regulation (GDPR) coined the term DPIA. While PIAs are not a new concept, they weren’t well known either. GDPR raised the visibility and awareness of the Impact Analysis (IA) process in the context of Data Protection by making it applicable to all businesses that process personal data. Essentially, GDPR took PIA and renamed it DPIA and made it famous.

When should DPIA be done?

While a significant change triggers the DPIA, Organisations carry out DPIA whenever there is a new process, product, or project that will collect, store, or transmit PII or when there is a significant modification to a process, product, or project that may create a new privacy risk. Just because A DPIA will need to be updated once the project has started will not be considered a valid reason for postponing or not carrying out a DPIA.

What other benefits are there of carrying out DPIA?

Other than the fact, you would avoid fines if you can demonstrate by providing evidence that you’re conducting DPIA within the organisation. There are more benefits, some of which are listed below:

  1. Conducting a DPIA will increase awareness regarding data protection risks.
  2. The awareness will help improve the design of your project, product or process and enhance the communication about data privacy risks among the stakeholders.
  3. Demonstrating that your organisation complies with the GDPR and avoids fines.
  4. Increase customer confidence and trust given how mature Security and Privacy practices are.
  5. Bring unknown to knowns: DPIA is a risk assessment tool; you’re essentially identifying your risk exposure to manage it well. If you haven’t identified your risks, you’ve already accepted them.
  6. Understanding, awareness and compliance with GDPR would increase your confidence to navigate your company towards success. By carrying out DPIA, you’re helping your future self by preventing both complacency and panic for when there is a privacy/security incident happens, and it will happen.

Who should conduct DPIA?

Ideally, the organisation should have the answer to this question documented as part of your privacy framework’s roles and responsibility section.

If your organisation does not have an official privacy framework, in that case, you can speak to your DPO or whoever is playing the role of DPO in your organisation. Speak to your compliance team. Your compliance team or DPO should have a process defined for DPIA.

The team or an individual responsible for the DPIA process provides the required information, ensures the alignment with the DPIA and the leadership’s findings, and gets the required management buy-in & resources committed for the mitigation measures.

Who should be involved?

It will depend on the scope of the product, project and process if it cuts through multiple departments and teams within an organisation. You may need to speak to all of them. You can narrow the scope to reduce the number of people involved at any time.

Step-by-Step DPIA Process Guide

The following shows the mind map on how you can carry out a DPIA for your organisation:

Step 1: Identify the need for DPIA

Carry out an initial lightweight survey to see if you need a full DPIA. If DPIA is needed, move on to Step 2 for planning your DPIA.

Step 2: Plan your DPIA

You need to define the nature, scope, and context for conducting the DPIA; you already have the notes since you have carried out the screening. Use the notes to define the nature of DPIA.

Step 3: Alignment with the Stakeholders

You should consult with various stakeholders, including team members across your organisation from legal, compliance, product, engineering, security, and data teams and the views of the people whose data you intend to process.

Step 4: Carry out the DPIA

Understand the purpose of the data and the processing in respect of the data. Utilise Data Flow & Data Usage diagrams. Ensure you have a valid and lawful reason for processing the PII, and that you can balance the rights of the people whose data you intend to process. Using the template process (provided in the resources section below) includes identifying, assessing, and planning actions to mitigate individual privacy and data protection risks.

Step 5: Add your findings to the Risk Register

The organisation needs to incorporate the considerations, conclusions and actions arising from the DPIA report. Add the risks identified as part of DPIA activity in your organisation’s risk register for appropriate risk treatment and tracking until closure and monitoring on an ongoing basis. Track your actions identified and test its operation against original purpose and data protection considerations once your processing is underway.

Closing Notes

One thing has been evident to me as I researched the topic of DPIA over the last week.

  • DPIA or PIA is a process, not a stand-alone or one-off activity.
  • DPIA should be part of your broader Privacy Program.
  • The organisation should support the privacy program via an enterprise risk management framework.
  • The ERM supporting privacy program will ensure you have support from the Board of Directors and the Leadership.

Common Privacy Risks That are Identified in DPIA

Notification

  • Lack of transparency when collecting personal data

Purpose Limitation

  • Processing personal data for purposes that data subjects are not informed about.

Retention Limitation

  • Holding on to personal data when there is no longer a need.

Protection

  • Lack of Security Testing
  • Poor Information Security Practices
  • Poor software development practices
  • Poor Vendor Management

Accountability

  • Lack of data protection policies and procedures.

Screening Questions

You may wish to create a checklist to decide whether to conduct a DPIA. The checklist should be as per your applicable regulatory requirements. E.g. GDPR requires DPIAs to be conducted when “When the activity is likely to result in a high risk to the rights and freedoms of the data subjects."

However, I am sharing a few questions that I can think of:

  1. If the new project, process or product will collect new personal data.
  2. If the new project, process or product uses personal data in a new way
  3. If the new project, process or product will disclose personal data to new parties
  4. If the new project, process or product will be making the automated decision
  5. If the new project, process or product will involve processing large volumes of personal data.

Resources

  1. Original GDPR on Official Journal of the European Union Website.
  2. Data Protection Impact Assessment
  3. This website summarises and segregates GDPR articles well here.
  4. Brush up your understanding of GDPR here.
  5. GDPR Compliance Checklist
  6. This template, published by the U.K. Information Commissioner’s Office, offers an example recording the process and outcomes of a DPIA. Don’t forget to check out the ICO’s DPIA guidance, and the Criteria for an acceptable DPIA are set out in European guidelines on DPIAs.
You've successfully subscribed to Ishan Girdhar
Great! Next, complete checkout to get full access to all premium content.
Error! Could not sign up. invalid link.
Welcome back! You've successfully signed in.
Error! Could not sign in. Please try again.
Success! Your account is fully activated, you now have access to all content.
Error! Stripe checkout failed.
Success! Your billing info is updated.
Error! Billing info update failed.