Table of Contents
- What is Data Privacy Impact Assessment (DPIA)?
- Why do we need to carry out DPIA?
- What is the Purpose of DPIA?
- What is PIA?
- What’s the difference between PIA and DPIA?
- When should DPIA be done?
- What other benefits are there of carrying out DPIA?
- Who should conduct DPIA?
- Who should be involved?
- Step-by-Step DPIA Process Guide
- Step 1: Identify the need for DPIA
- Step 2: Plan your DPIA
- Step 3: Alignment with the Stakeholders
- Step 4: Carry out the DPIA
- Step 5: Add your findings to the Risk Register
- Closing Notes
- Common Privacy Risks That are Idenfied in DPIA
- Purpose Limitation
- Retention Limitation
- Screening Questions
This article is in the Brain On Security Series, and the topic is Data Privacy Impact Assessment (DPIA)
There are three reasons why I chose Data Privacy Impact Assessment (DPIA) for the first deep dive article in the Brain On Security Series.
- It’s October 24, 2021, Wednesday afternoon, and I am panicking because I decided to publish h an article each week on Wednesday.
- I needed to carry out DPIA for an organisation, and I had to do a deep dive for my understanding.
- I have purchased CDPSE from ISACA Website, and I have to book the exam date asap.
This article aims to help you prepare and conduct Data Protection Impact Assessments (DPIA).
What is Data Privacy Impact Assessment (DPIA)?
To understand DPIA, you need to understand the General Data Protection Regulation (GDPR). To help you visualise, I have created the following mind map.
GDPR has 11 Chapters. Each chapter is sub-divided into sections and articles. There are overall 99 Articles in GDPR spanning 11 chapters. The link to the original GDPR is here.
In GDPR, Chapter 4, Section 3, Article 35. defines DPIA as below:
To simply put, “DPIA is an assessment of the impact of the envisaged processing operations on the protection of personal data.”
Why do we need to carry out DPIA?
What is the Purpose of DPIA?
The purpose of DPIA is to validate the proposed change from a privacy perspective to ensure that the privacy process, product or project has been well-designed privacy and security by design and that the impact on privacy is neutral or positive.
What is PIA?
PIA is a targeted risk assessment undertaken to identify impacts to individual privacy and impact an organisation’s ability to protect information resulting from a proposed change to a business process or information system.
What’s the difference between PIA and DPIA?
Short Answer: PIA is a term that existed before but wasn’t very known. In short, GDPR coined the term DPIA and made it widely known.
Long Answer: Until General Data Protection Regulation (GDPR) coined the term DPIA. While PIAs are not a new concept, they weren’t well known either. GDPR raised the visibility and awareness of the Impact Analysis (IA) process in the context of Data Protection by making it applicable to all businesses that process personal data. Essentially, GDPR took PIA and renamed it to DPIA and made it famous.
When should DPIA be done?
While a significant change triggers the DPIA, Organisations carry out DPIA whenever there is a new process, product, or project that will collect, store, or transmit PII or when there is a significant modification to a process, product, or project may create a new privacy risk. Just because A DPIA will need to be updated once project has started will not be considered as a valid reason for postponing or not carrying out a DPIA.
What other benefits are there of carrying out DPIA?
Other than the fact, you would avoid fines if you can demonstrate by providing evidence that you’re conducting DPIA within the organisation. There are more benefits, some of which are listed below:
- Conducting a DPIA will increase awareness regarding data protection risks.
- The awareness will help improve the design of your project, product or process and enhance the communication about data privacy risks within the stakeholders.
- Demonstrating that your organisation complies with the GDPR and avoids fines.
- Increase customer confidence and trust given how mature Security and Privacy practices are.
- Bring unknown to knowns: DPIA is a risk assessment tool; you’re essentially identifying your risks exposure to manage it well. If you haven’t identified your risks, you’ve already accepted them.
- Understanding, awareness and compliance to GDPR would increase your confidence to navigate your company towards success. By carrying out DPIA, you’re helping your future self by preventing both complacency and panic for when there is privacy/security incident happens, and it will happen.
Who should conduct DPIA?
Ideally, the organisation should have the answer to this question documented as part of your privacy framework’s roles and responsibility section.
If your organisation does not have an official privacy framework, in that case, you can speak to your DPO or whoever is playing the role of DPO in your organisation. Speak to your compliance team. Your compliance team or DPO should have a process defined for DPIA.
The team or an individual responsible for the DPIA process provides the required information, ensures the alignment with the DPIA and the leadership’s findings, and gets the required management buy-in & resources committed for the mitigation measures.
Who should be involved?
It will depend on the scope of the product, project and process if it cuts through multiple departments and teams within an organisation. You may need to speak to all of them. You can narrow down the scope to reduce the number of people involved at any given time.
Step-by-Step DPIA Process Guide
The following shows the mind map on how you can carry out a DPIA for your organisation:
Step 1: Identify the need for DPIA
Carry out an initial light weight survey to see if you need a full DPIA. If DPIA is needed, then you move on to Step 2 for planning your DPIA.
Step 2: Plan your DPIA
You need to define the nature, scope, and context for conducting the DPIA; you already have the notes since you have carried out the screening. Use the notes to define the nature of DPIA.
Step 3: Alignment with the Stakeholders
You should consult with a range of stakeholders, including team members across your organisation from legal, compliance, product, engineering, security, data teams and the views of the people whose data you intend to process.
Step 4: Carry out the DPIA
Understand the purpose of the data and the processing in respect of the data. Utilise Data Flow & Data Usage diagrams. Ensure you have a valid and lawful reason for processing the PII, and that you can balance the rights of the people whose data you intend to process. Use the template process (provided in the resources section below) includes identifying, assessing, and planning actions to mitigate risks to individuals' privacy and data protection.
Step 5: Add your findings to the Risk Register
The organisation needs to incorporate the considerations, conclusions and actions arising from the DPIA report. Add the risks identified as part of DPIA activity in your organisation’s risk register for appropriate risk treatment and tracking until closure and monitoring on an ongoing basis. Track your actions identified and once your processing is underway, test its operation against original purpose and data protection considerations.
One thing has been evident to me as I was researching the topic of DPIA over the last week.
- DPIA or PIA is a process, not a stand-alone or one-off activity.
- DPIA should be part of your broader Privacy Program.
- The organisation should support the privacy program via an enterprise risk management framework.
- The ERM supporting privacy program will ensure that you have support from the Board of Directors and the Leadership.
Common Privacy Risks That are Identified in DPIA
- Lack for transparency when collecting personal data
- Processing personal data for purposes that data subjects are not informed about.
- Holding on to personal data when there is no longer a need.
- Lack of Security Testing
- Poor Information Security Practices
- Poor software development practices
- Poor Vendor Management
- Lack of data protection policies and procedures.
You may wish to create a checklist to decide whether to conduct a DPIA. The checklist should be as per your applicable regulatory requirements. E.g. GDPR requires DPIAs to be conducted when “When the activity is likely to result in a high risk to the rights and freedoms of the data subjects."
However, I am sharing a few questions that I can think of:
- If the new project, process or product will collect new personal data.
- If the new project, process or product uses personal data in a new way
- If the new project, process or product will disclose the personal data to new parties
- If the new project, process or product will be making the automated decision
- If the new project, process or product will involve processing large volumes of personal data.
- Original GDPR on Official Journal of the European Union Website.
- Data Protection Impact Assessment
- This website summarises and segregates GDPR articles well here.
- Brush up your understanding of GDPR here.
- GDPR Compliance Checklist
- This template, published by the U.K. Information Commissioner’s Office, offers an example recording the process and outcomes of a DPIA. Don’t forget to check out the ICO’s DPIA guidance, and the Criteria for an acceptable DPIA are set out in European guidelines on DPIAs.