A DPIA is a systematic and comprehensive analysis of any processing of data which is likely to result in high risk to individuals.
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
Article 35 of the GDPR details the when and how of conducting a DPIA. The main reason to carry out a DPIA is when you are starting a new data processing activity or making alterations to an existing activity. If there is the possibility that new activity brings about high risk to the rights of the people whose data you are processing, you need to do a DPIA.
The following checklist should serve as your simple guide to understand your compliance obligations under the law.
Ideally, you should start carrying out a DPIA in the early stages of any project which requires processing of data. The DPIA should be carried out in a way that it runs alongside the planning and development of the relevant project.
Let’s run through the step-by-step checklist for data protection impact assessments.
Before you begin carrying out a DPIA, you need to assess whether one is necessary. As a general rule, any major project that involves usage of personal data should involve the consideration of whether you need to carry out a DPIA. Certain kinds of processing automatically obligates you to conduct a DPIA. In other cases, you need to assess whether the project is likely to result in high risk for individuals. This criteria of high risk activity is key to whether you need to conduct a DPIA
After you have considered whether the activities you will undertake with the data are high risk or not, you may feel you need to undertake a DPIA. In case you decide that the activity is not high risk and doesn’t warrant a DPIA, you should document the reasons why not in writing, making sure to include any advice you seek. The UK data procession authority — ICO — advice is to err on the side of caution and do a DPIA whenever in doubt.
As a first step carrying out the DPIA, you need to understand and document the processing activities in the project. In other words, describe how and why personal data will be used in the project. Specifically, the GDPR requires you to include “the nature, scope, context and purpose” of the data being processed.
In the context of a DPIA, the nature of processing means documenting what you plan to do with the personal data. For example, this includes:
The ‘scope’ of the data processing requires you to mention what will be covered under processing. This includes:
For the ‘context’ of data processing, you are required to explain the bigger picture of the project including all internal and external factors which might affect the expectations or impact of the project. Here, you should include:
You should also elaborate on the previous instances of such processing and issues of public concern, if any. The UK ICO advises to also show whether you comply with the UK GDPR and other relevant codes of practice.
Lastly, under the ‘purpose’ of processing, you should state the reasons for processing the personal data. For example, specify:
Additionally, you should also state the legal grounds for processing of the data. It is also advisable to mention the place where data will be hosted and the geographical flow of the data.
You should consult individuals and document their views and issues. In case you decide not to consult individuals, document your rationale for this decision in your DPIA. For example, if a consultation with individuals may undermine commercial confidentiality, security, or is disproportionate or impracticable, then you should explain this in the DPIA.
In case you process personal data relating to existing contacts such as customers or employees, then it is important to have a consultation process in place to speak with individuals or their representatives.
In case the DPIA covers personal data of individuals that have not been identified yet, then you are advised to carry out a general public consultation. This consultation should be done in a targeted manner while contacting particular demographics or customer bases for their views.
In case your DPIA decision is at odds with the opinions of the individuals you consulted, you need to mention the reasons why you haven’t taken the views of the individuals into account.
Apart from individuals, it is also recommended to consult more senior privacy professionals (such as your DPO or CPO), the regulator (local data protection authority), and lawyers for legal advice.
You may also consider consulting IT experts within your organization or external legal professionals for independent advice, wherever necessary. However, there is no obligation to do so.
You should consider whether your plans to process the data are enough to achieve the set purpose. Secondly, you must consider whether there is another reasonable way to achieve the same result. To show necessity and proportionality, you should document how your organisation ensures protection of data.
Here, you should specify:
Additionally, you should also mention what measures you will be taking to ensure compliance if you use any processors , such as SaaS applications which process personal data on your behalf, and safeguards which you employ should the processing activity involve the international transfer of data.
In this step, you are required to comprehensively consider the potential impact on individuals. This includes identifying what harm or damage your processing may cause. This harm can be physical, emotional, or material.
Consider whether your data processing may lead to:
Your organization should also assess the security risks involved in the project, including the source of the risk and how the data breach (such as illegitimate access, modification or loss of personal data) may impact individuals.
You should examine risks using two metrics: the likelihood of harm and the severity of the impact that your processing may cause. High likelihood of harm accompanied with some severity of impact, is considered a ‘high risk’. Similarly, a severe impact with reasonably low harm may also be considered to pose ‘high risk’.
Other risks should also be considered: such as the commercial risks of your organization, the impact of regulatory action, the potential for reputational loss, and damage to reputation.
After you identify the high risks, you need to specify the measures you put in place to reduce the severity or the chances of such risk. For all the identified risks, mention the source of the risk and list measures you will take to reduce the risk.
Some such measures may be:
This list is intended to provide you an indication of the kind of measures you should adopt to mitigate risks. In addition, you should also document whether the measure will reduce or eliminate the risk completely. To determine the appropriateness of measures, examine the costs and benefits of each measure thoroughly.
After identifying risk mitigation measures, you should document which the ones you plan on implementing. However, not all of the risks you identified need to be completely eliminated. Some risks may be acceptable in situations where the upside to the processing outweighs them.
Upon completion, document whether the risks you identified have been eliminated, reduced, or accepted. Also, specify the extent to which risk remains even after taking additional measures. At this stage, you may also consider consulting the regulators or local data protection authorities.
After recording the outcomes of your DPIA, you should integrate them into your project plans. Ensure implementation of the DPIA outcomes by assigning responsibilities to applicable colleagues.
In case you have accepted a higher risk, where mitigation of the risk is too costly or not possible, then you are required to consult the ICO before moving forward.
DPIAs are not a one-time exercise. As the assessment is an ongoing process, once you have completed the DPIA, you need to keep it under review. You may also be required to repeat a DPIA if there is a significant change in the nature, scope, context or purpose of processing.
You may assign the responsibility of carrying out DPIAs and signing them off to someone in your organization. You may also outsource your DPIA. However, the primary responsibility rests on you. For example, you may ask a processor to carry out a DPIA for your organization, yet you remain responsible for it and its implementation.