DPIA: do I need to do one?
As part of the GDPR, many different new rules for businesses were introduced to change practices and protect consumer data. One of the rules obligates organizations to carry out risk assessments for their data practices. One of these is called a Data Protection Impact Assessment (DPIA). But what are these assessments and do you need to do one?
DPIA: when is it needed?
Article 35 of GDPR, talks about the guidelines and the procedure for carrying out a DPIA. It lists the different activities that require you to carry out the assessment. These include using new technologies or methods when handling data. In particular, Article 35 stresses that you need to carry out the assessment when the activities you are planning to conduct with the data could be considered as high risk.
“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data”
Article 35 (1) GDPR
So whether you need to do a DPIA is based on whether the data activity is considered high risk and you need to make your own judgments on this risk level. If you are unsure how to figure out the risk level, conducting a DPIA actually helps you understand where your activities may put the rights and freedoms of your customers at risk. Most of all, you need to consider the likelihood of harm and the severity of the impact that the processing could have on the individuals whose data you are handling.
High risk data practices
As you can see above, Article 35 (1) of the GDPR emphasizes activities with consumer data that are “likely to result in a high risk”. While there is no exhaustive list for these activities, there are some practices which will automatically trigger the need to do a DPIA. The Information Commissioner's Office has published a list of ten such activities with data:
- Denial of services
- Innovative technologies
- Large-scale profiling
- Genetic data
- Invisible processing
- The potential risk of physical harm
- Targeting of children and vulnerable individuals
- Data matching
As you can see from the list above, the activities could pose a real threat to people’s freedoms. For example, making a decision to deny someone a service based on data about them could really impact on their life. Imagine if this decision was made to issue a loan or for healthcare; automating decisions for the denial of services based on the processing of personal data could really impact on the individual, so a DPIA needs to be carried out.
Aside from protecting people’s freedoms, there are added benefits to conducting a DPIA. And no: not just to show the regulator that you carry out the processes required of you by law.
DPIA: why should you do one
First and foremost, you want to carry out a DPIA to identify and then reduce any risks in your data activities. In this aspect, DPIAs bring four big benefits, allowing you to:
- Recognize problems and find the solutions before anything goes wrong
- Reduce the overall project costs by implementing set practices and limits at an early stage to optimise data handling throughout
- Indicate to partners and contractors that necessary measures have been taken
- Ensure that the data protection rights of the users are not being violated
In business, the bottom line matters most. Putting your company at risk of big fines by not doing a DPIA should be motivation enough to carry out an assessment when you are starting or making changes to your data practices. In short, if you are handling lots of consumer data and thinking about or preparing to make changes to a data activity, you definitely need to do a DPIA.
Maximum penalty of 10 million EUR fine or 2% of the total worldwide annual turnover, whichever is higher.
In May 2020, a 16,000 EUR fine was imposed on a Finland-based taxi company for not conducting a DPIA before processing the location data of an employee. For small and medium businesses, the threat that these fines pose is existential to their business and it may well be for your business too.
You may sometimes feel like there is no tangible outcome from a DPIA. However, DPIAs protect you from risks, which means protecting your reputation. Obviously, nobody gets a prize for being the person who keeps the reputation of the business intact or for saving the company from being fined, but this work really is critical. Since fines can run into the millions, spending the extra time to carry out a DPIA is worth the extra effort.
When do you not have to do a DPIA
There are some instances when you do not need to carry out a DPIA because the activity is not likely to result in high risk, with the data likelihood of harm and the severity of the impact of what you are going to do with the data being low. There are also some other specific situations when there is no need to conduct a DPIA:
- There is a legal provision (law) which entitles you to conduct the processing
- An assessment substantially similar to DPIA has already been conducted to assess the processing
It’s also worth mentioning that local data protection authorities have the power to issue a list of various other processing that does not require a DPIA to be conducted.
So, as we can see, while business organisations are advised to conduct a DPIA if they feel that the data activity will have an impact on the rights of individuals, there are some certain instances where there is no necessity to conduct a DPIA.
DPIA completed? What now?
After an organization has successfully conducted a DPIA, there are some further actions that need to be taken. If your assessment highlights how you can reduce risks while processing public and sensitive data, you will need to make a clear conclusion of how you will do so and put this into practice in your project. After your DPIA you need to:
- Evaluate whether there is a need to take any extra measures after the DPIA is conducted
- Analyze if the risks you uncovered have been eliminated and are acceptable
- Calculate the risk level after the extra measures are taken for the “residual risks”
- Evaluate whether or not there is a need to consult your local data protection authority
As we can see from the list above, carrying out a DPIA is not just a tick-box exercise and requires an outcome and certain actions. By following the procedure you not only reduce the risk of fines to your business, but also protect your customers and their rights.
In fact, there are several overall advantages to conducting a DPIA, such as:
- Creating awareness regarding consumer data protection in organizations
- Managing risk factors and eliminating them
- Protecting the data protection rights of users
- Reducing harm to the reputation of an organization
- Reducing operation costs by not processing unnecessary data
So, while it is not mandatory in all cases to carry out a DPIA, or sometimes you may feel that conducting one will be a waste of time with no tangible outcome, you can see the related benefits fence you off from all sorts of risk. Moreover, as consumers become more privacy aware, prioritizing their data protection rights is becoming a strategic advantage for many businesses. This means that you can transform compliance with the law from a cost sink into a revenue generator.