As part of the GDPR, many different new rules for businesses were introduced to change practices and protect consumer data. One of the rules obligates organizations to carry out risk assessments for their data practices. One of these is called a Data Protection Impact Assessment (DPIA). But what are these assessments and do you need to do one?
Article 35 of GDPR, talks about the guidelines and the procedure for carrying out a DPIA. It lists the different activities that require you to carry out the assessment. These include using new technologies or methods when handling data. In particular, Article 35 stresses that you need to carry out the assessment when the activities you are planning to conduct with the data could be considered as high risk.
“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data”
Article 35 (1) GDPR
So whether you need to do a DPIA is based on whether the data activity is considered high risk and you need to make your own judgments on this risk level. If you are unsure how to figure out the risk level, conducting a DPIA actually helps you understand where your activities may put the rights and freedoms of your customers at risk. Most of all, you need to consider the likelihood of harm and the severity of the impact that the processing could have on the individuals whose data you are handling.
As you can see above, Article 35 (1) of the GDPR emphasizes activities with consumer data that are “likely to result in a high risk”. While there is no exhaustive list for these activities, there are some practices which will automatically trigger the need to do a DPIA. The Information Commissioner's Office has published a list of ten such activities with data:
As you can see from the list above, the activities could pose a real threat to people’s freedoms. For example, making a decision to deny someone a service based on data about them could really impact on their life. Imagine if this decision was made to issue a loan or for healthcare; automating decisions for the denial of services based on the processing of personal data could really impact on the individual, so a DPIA needs to be carried out.
Aside from protecting people’s freedoms, there are added benefits to conducting a DPIA. And no: not just to show the regulator that you carry out the processes required of you by law.
First and foremost, you want to carry out a DPIA to identify and then reduce any risks in your data activities. In this aspect, DPIAs bring four big benefits, allowing you to:
In business, the bottom line matters most. Putting your company at risk of big fines by not doing a DPIA should be motivation enough to carry out an assessment when you are starting or making changes to your data practices. In short, if you are handling lots of consumer data and thinking about or preparing to make changes to a data activity, you definitely need to do a DPIA.
Maximum penalty of 10 million EUR fine or 2% of the total worldwide annual turnover, whichever is higher.
In May 2020, a 16,000 EUR fine was imposed on a Finland-based taxi company for not conducting a DPIA before processing the location data of an employee. For small and medium businesses, the threat that these fines pose is existential to their business and it may well be for your business too.
You may sometimes feel like there is no tangible outcome from a DPIA. However, DPIAs protect you from risks, which means protecting your reputation. Obviously, nobody gets a prize for being the person who keeps the reputation of the business intact or for saving the company from being fined, but this work really is critical. Since fines can run into the millions, spending the extra time to carry out a DPIA is worth the extra effort.
There are some instances when you do not need to carry out a DPIA because the activity is not likely to result in high risk, with the data likelihood of harm and the severity of the impact of what you are going to do with the data being low. There are also some other specific situations when there is no need to conduct a DPIA:
It’s also worth mentioning that local data protection authorities have the power to issue a list of various other processing that does not require a DPIA to be conducted.
So, as we can see, while business organisations are advised to conduct a DPIA if they feel that the data activity will have an impact on the rights of individuals, there are some certain instances where there is no necessity to conduct a DPIA.
After an organization has successfully conducted a DPIA, there are some further actions that need to be taken. If your assessment highlights how you can reduce risks while processing public and sensitive data, you will need to make a clear conclusion of how you will do so and put this into practice in your project. After your DPIA you need to:
As we can see from the list above, carrying out a DPIA is not just a tick-box exercise and requires an outcome and certain actions. By following the procedure you not only reduce the risk of fines to your business, but also protect your customers and their rights.
In fact, there are several overall advantages to conducting a DPIA, such as:
So, while it is not mandatory in all cases to carry out a DPIA, or sometimes you may feel that conducting one will be a waste of time with no tangible outcome, you can see the related benefits fence you off from all sorts of risk. Moreover, as consumers become more privacy aware, prioritizing their data protection rights is becoming a strategic advantage for many businesses.