Privacy Information Security

Complete Guide to conducting Data Protection Impact Assessment (DPIA)

Ishan Girdhar
Ishan Girdhar
6 min read
Complete Guide to conducting Data Protection Impact Assessment (DPIA)
Facial Recognition Algorithm Identifying Faces in Public Space

Introduction

This article is in the Brain On Security Series, and the topic is Data Privacy Impact Assessment (DPIA)

I chose Data Privacy Impact Assessment (DPIA) as the first deep-dive article in the Brain On Security Series for three reasons.

  1. It's Wednesday afternoon, October 24, 2021, and I am panicking because I decided to publish an article weekly on Wednesday.
  2. I needed to carry out DPIA for an organization, and I had to do a deep dive to understand it.
  3. I have purchased CDPSE from the ISACA Website, and I have to book the exam date asap.

This article will help you prepare and conduct Data Protection Impact Assessments (DPIA).

What is Data Privacy Impact Assessment (DPIA)?

To understand DPIA, you must understand the General Data Protection Regulation (GDPR). I have created the following mind map to help you visualize.

The GDPR has 11 Chapters, each subdivided into sections and articles. Overall, the GDPR has 99 articles spanning 11 chapters. The link to the original GDPR is here.

In GDPR, Chapter 4, Section 3, Article 35. defines DPIA as below:

"DPIA is an assessment of the impact of the envisaged processing operations on the protection of personal data."

Why do we need to carry out DPIA?

DPIA aims to ensure that the personal information collected is used only for its intended purpose. It identifies the impact(s) any process or system change has on the organization's compliance with its privacy policy and applicable privacy laws and regulations.

What is the Purpose of DPIA?

DPIA aims to validate the proposed change from a privacy perspective to ensure that the privacy process, product, or project has a well-designed privacy and security design and that the impact on privacy is neutral or positive.

What is PIA?

A PIA is a targeted risk assessment that identifies potential impacts on individual privacy and an organization's ability to protect information resulting from a proposed change to a business process or information system.

What'sorganisation'sWhat'sorganisation'sorganization's the difference between PIA and DPIA?

Short Answer: PIA existed before but wasn't very well known. In short, GDPR coined the term DPIA and made it widely known.

Long Answer: Until the General Data Protection Regulation (GDPR) coined the term DPIA. While PIAs are not new, they weren't well known either. GDPR raised the visibility and awareness of the Impact Analysis (IA) process in the context of Data Protection by making it applicable to all businesses that process personal data. GDPR took PIA, renamed it DPIA, and made it famous.

When should DPIA be done?

While a significant change triggers the DPIA, Organisations carry out DPIAs whenever a new process, product, or project collects, stores, or transmits PII or when a significant modification to a process, product, or project may create a new privacy risk. Just because a DPIA needs to be updated once the project has started is not a valid reason for postponing or not carrying out one.

What other benefits are there of carrying out DPIA?

Besides, you would avoid fines if you can demonstrate by providing evidence that you're conducting DPIA within the organization. There are more benefits, some of which are listed below:

  1. Conducting a DPIA will increase awareness regarding data protection risks.
  2. This awareness will help improve the design of your project, product, or process and enhance the communication among the stakeholders about data privacy risks.
  3. Demonstrating that your organization complies with the GDPR and avoids fines.
  4. Increase customer confidence and trust, given how mature Security and Privacy practices are.
  5. Bring unknowns to knowns: DPIA is a risk assessment tool. It essentially involves identifying your risk exposure to manage it well. If you haven't identified your risks, you've already accepted them.
  6. Understanding, awareness, and compliance with GDPR would increase your confidence in navigating your company toward success. By carrying out DPIA, you're helping your future self by preventing complacency and panic when there is a privacy/security incident that will happen.

Who should conduct DPIA?

Ideally, the organization should document itsresponsible for it answer to this question in its privacy framework's roles and responsibilities section of its privacy frameworkthe.

If your organization does not have an official privacy framework, you can speak to your DPO or whoever is responsible at any time. You can also speak to your compliance team. Your compliance team or DPO should have a process defined for DPIA.

The team or individual responsible for the DPIA process provides the required information, ensures alignment with the DPIA and the leadership's findings, and gets the required management buy-in and resources for the mitigation measures.

Who should be involved?

If the product, project, or process involves multiple departments and teams, the number of people involved will depend on the scope. You may need to speak to all of them, but you can narrow the scope and reduce the number.

Step-by-Step DPIA Process Guide

The following shows the mind map on how you can carry out a DPIA for your organization:

Step 1: Identify the need for DPIA

Conduct an initial lightweight survey to determine whether you need a full DPIA. If so, proceed to Step 2 to plan your DPIA.

Step 2: Plan your DPIA

You need to define the nature, scope, and context for conducting the DPIA; you have already had the notes since you conducted the screening. Use the notes to define the nature of DPIA.

Step 3: Alignment with the Stakeholders

You should consult with various stakeholders, including members of your team, and the views of the people whose data you intend to process.

Step 4: Carry out the DPIA

Understand the purpose of the data and its processing—Utilise data flow and usage diagrams. Ensure you have a valid and lawful reason for processing the PII and balance the rights of the people whose data you intend to process. Using the template process (provided in the resources section below) includes identifying, assessing, and planning actions to mitigate individual privacy and data protection risks.

Step 5: Add your findings to the Risk Register

The organization needs to incorporate the considerations, conclusions, and actions arising from the DPIA report. Add the risks identified as part of DPIA activity in your organization's risk register for appropriate risk treatment and tracking until closure and monitoring on an ongoing basis. Track your actions identified and test their operation against the original purpose and data protection considerations once your processing is underway.

Closing Notes

One thing has been evident to me as I researched the topic of DPIA over the last week.

  • DPIA or PIA is a process, not a stand-alone or one-off activity.
  • DPIA should be part of your broader Privacy Program.
  • The organization should support the privacy program via an enterprise risk management framework.
  • The ERM-supporting privacy program will ensure you receive support from the Board of Directors and the leadership.

Common Privacy Risks That are Identified in DPIA

Notification

  • Lack of transparency when collecting personal data

Purpose Limitation

  • They are processing personal data for purposes that data subjects are not informed about.

Retention Limitation

  • Holding on to personal data when there is no longer a need.

Protection

  • Lack of Security Testing
  • Poor Information Security Practices
  • Poor software development practices
  • Poor Vendor Management

Accountability

  • Lack of data protection policies and procedures.

Screening Questions

You may wish to create a checklist to decide whether to conduct a DPIA. The checklist should meet your applicable regulatory requirements. For example, GDPR requires DPIAs to be conducted "When the activity is likely to result in a high risk to the rights and freedoms of the data subjects."

However, I am sharing a few questions that I can think of:

  1. If the new project, process, or product will collect new personal data.
  2. If the new project, process, or product uses personal data in a new way
  3. If the new project, process, or product will disclose personal data to new parties
  4. If the new project, process, or product will be making the automated decision
  5. If the new project, process, or product will involve processing large volumes of personal data.

Resources

  1. The Original GDPR is on the Official Journal of the European Union Website.
  2. Data Protection Impact Assessment
  3. This website summarises and segregates GDPR articles well here.
  4. Brush up your understanding of GDPR here.
  5. GDPR Compliance ChecklistICO'sChecklistICO's
  6. This template, published by the U.K. InformaCommissioner's Office, offers an example of recording the process and outcomes of a DPIA. Remember to check out the ICO's DPIA guidance. The criteria for an acceptable DPIA are set out in European guidelines on DPIAs.understand it

You might also like

Subscribe to Ishan Girdhar newsletter and stay updated.

Don't miss anything. Get all the latest posts delivered straight to your inbox. It's free!
Great! Check your inbox and click the link to confirm your subscription.
Error! Please enter a valid email address!