June 16, 2021
9 min read

DPIA checklist

DPIA (Data Protection Impact Assessment) is an obligation under the GDPR for identifying and minimizing data protection risks in a project.

A DPIA is a systematic and comprehensive analysis of any processing of data which is likely to result in high risk to individuals.

DPIA: when and how

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

Article 35 of the GDPR (1)

Article 35 of the GDPR details the when and how of conducting a DPIA. The main reason to carry out a DPIA is when you are starting a new data processing activity or making alterations to an existing activity. If there is the possibility that new activity brings about high risk to the rights of the people whose data you are processing, you need to do a DPIA.

The following checklist should serve as your simple guide to understand your compliance obligations under the law.

DPIA checklist: when to start

Ideally, you should start carrying out a DPIA in the early stages of any project which requires processing of data. The DPIA should be carried out in a way that it runs alongside the planning and development of the relevant project.

Let’s run through the step-by-step checklist for data protection impact assessments.

0. Consider whether a DPIA is needed

Before you begin carrying out a DPIA, you need to assess whether one is necessary. As a general rule, any major project that involves usage of personal data should involve the consideration of whether you need to carry out a DPIA. Certain kinds of processing automatically obligates you to conduct a DPIA. In other cases, you need to assess whether the project is likely to result in high risk for individuals. This criteria of high risk activity is key to whether you need to conduct a DPIA

After you have considered whether the activities you will undertake with the data are high risk or not, you may feel you need to undertake a DPIA. In case you decide that the activity is not high risk and doesn’t warrant a DPIA, you should document the reasons why not in writing, making sure to include any advice you seek. The UK data procession authority — ICO — advice is to err on the side of caution and do a DPIA whenever in doubt.

1. Understand what data is being processed

As a first step carrying out the DPIA, you need to understand and document the processing activities in the project. In other words, describe how and why personal data will be used in the project. Specifically, the GDPR requires you to include “the nature, scope, context and purpose” of the data being processed.

In the context of a DPIA, the nature of processing means documenting what you plan to do with the personal data. For example, this includes:

  • The process of collection, storage, and usage of data
  • Who will have access to the data
  • The period for which you will hold the data
  • Any security measures you adopt for data protection
  • Whether any processors are being used in the project
  • Your screening criteria for considering likely high risk

The ‘scope’ of the data processing requires you to mention what will be covered under processing. This includes:

  • The nature and sensitivity of the personal data being processed
  • The amount and variety of the data
  • How frequently and for how long will the data be processed
  • How many data subjects will be involved
  • The geographical extent of data processing

For the ‘context’ of data processing, you are required to explain the bigger picture of the project including all internal and external factors which might affect the expectations or impact of the project. Here, you should include:

  • The source of the data
  • The nature of your relationship with the individuals
  • The nature of individuals’ control of their data
  • The individuals’ expectation of data processing
  • Whether data is being collected from children and vulnerable individuals

You should also elaborate on the previous instances of such processing and issues of public concern, if any. The UK ICO advises to also show whether you comply with the UK GDPR and other relevant codes of practice.

Lastly, under the ‘purpose’ of processing, you should state the reasons for processing the personal data. For example, specify:

  • The legitimate interests for processing
  • The intended outcome of the project for individuals
  • All the public benefits expected from such processing

Additionally, you should also state the legal grounds for processing of the data. It is also advisable to mention the place where data will be hosted and the geographical flow of the data.

Free DPIA template

Save time and effort by downloading Soveren’s free DPIA template.
Download now

2. Consult individuals

You should consult individuals and document their views and issues. In case you decide not to consult individuals, document your rationale for this decision in your DPIA. For example, if a consultation with individuals may undermine commercial confidentiality, security, or is disproportionate or impracticable, then you should explain this in the DPIA.

In case you process personal data relating to existing contacts such as customers or employees, then it is important to have a consultation process in place to speak with individuals or their representatives.

In case the DPIA covers personal data of individuals that have not been identified yet, then you are advised to carry out a general public consultation. This consultation should be done in a targeted manner while contacting particular demographics or customer bases for their views.

In case your DPIA decision is at odds with the opinions of the individuals you consulted, you need to mention the reasons why you haven’t taken the views of the individuals into account.

3. Consult privacy professionals, regulators, and others

Apart from individuals, it is also recommended to consult more senior privacy professionals (such as your DPO or CPO), the regulator (local data protection authority), and lawyers for legal advice.

You may also consider consulting IT experts within your organization or external legal professionals for independent advice, wherever necessary. However, there is no obligation to do so.

4.Consider necessity and proportionality

You should consider whether your plans to process the data are enough to achieve the set purpose. Secondly, you must consider whether there is another reasonable way to achieve the same result. To show necessity and proportionality, you should document how your organisation ensures protection of data.

Here, you should specify:

  • The lawful rationale to process data
  • How you will support individuals’ rights in general
  • The steps you will take to provide privacy information to the individuals the data concerns
  • How you will ensure no function creep (where the process extends beyond its original purpose)
  • The measures you will take to ensure data quality and data minimization

Additionally, you should also mention what measures you will be taking to ensure compliance if you use any processors , such as SaaS applications which process personal data on your behalf, and safeguards which you employ should the processing activity involve the international transfer of data.

Download a free DPIA template

5. Identify and examine risks

In this step, you are required to comprehensively consider the potential impact on individuals. This includes identifying what harm or damage your processing may cause. This harm can be physical, emotional, or material.

Consider whether your data processing may lead to:

  • Individuals’ inability to exercise their rights in general
  • Individuals becoming unable to access services
  • Individuals losing control over the way their personal data is used
  • Discrimnation in any manner
  • Identity theft, fraud, financial loss, reputational damage, or physical harm
  • Breach of confidentiality
  • Re-identification of anonymized or pseudonymized data
  • Major economic or social disadvantages for the people concerned

Your organization should also assess the security risks involved in the project, including the source of the risk and how the data breach (such as illegitimate access, modification or loss of personal data) may impact individuals.

You should examine risks using two metrics: the likelihood of harm and the severity of the impact that your processing may cause. High likelihood of harm accompanied with some severity of impact, is considered a ‘high risk’. Similarly, a severe impact with reasonably low harm may also be considered to pose ‘high risk’.

Other risks should also be considered: such as the commercial risks of your organization, the impact of regulatory action, the potential for reputational loss, and damage to reputation.

6. Measures to mitigate the risks

After you identify the high risks, you need to specify the measures you put in place to reduce the severity or the chances of such risk. For all the identified risks, mention the source of the risk and list measures you will take to reduce the risk.

Some such measures may be:

  • Decide against collection of certain categories of data
  • Narrow down the scope of processing and the data retention period
  • Adopt technological safeguards for security
  • Train your staff to manage risks effectively
  • Anonymize and pseudonymize data as much as possible
  • Have internal policies in place to minimize risks
  • Apply data-sharing agreements
  • Provide individuals the opportunity to opt out

This list is intended to provide you an indication of the kind of measures you should adopt to mitigate risks. In addition, you should also document whether the measure will reduce or eliminate the risk completely. To determine the appropriateness of measures, examine the costs and benefits of each measure thoroughly.

7. Record outcomes

After identifying risk mitigation measures, you should document which the ones you plan on implementing. However, not all of the risks you identified need to be completely eliminated. Some risks may be acceptable in situations where the upside to the processing outweighs them.

Upon completion, document whether the risks you identified have been eliminated, reduced, or accepted. Also, specify the extent to which risk remains even after taking additional measures. At this stage, you may also consider consulting the regulators or local data protection authorities.

8. Implement into your project plans

After recording the outcomes of your DPIA, you should integrate them into your project plans. Ensure implementation of the DPIA outcomes by assigning responsibilities to applicable colleagues.

In case you have accepted a higher risk, where mitigation of the risk is too costly or not possible, then you are required to consult the ICO before moving forward.

9. Review the DPIA

DPIAs are not a one-time exercise. As the assessment is an ongoing process, once you have completed the DPIA, you need to keep it under review. You may also be required to repeat a DPIA if there is a significant change in the nature, scope, context or purpose of processing.

DPIA: your business obligations

You may assign the responsibility of carrying out DPIAs and signing them off to someone in your organization. You may also outsource your DPIA. However, the primary responsibility rests on you. For example, you may ask a processor to carry out a DPIA for your organization, yet you remain responsible for it and its implementation.

Automate your personal data monitoring and analytics with a free tool

Author
Soveren

Receive helpful tips, practical content, and updates

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.