DPIA: what is it?
DPIA stands for data protection impact assessment. DPIA is the process of measuring and mitigating the risk factors involved in collecting, storing, and using personal data. Since personal data is sensitive to an individual's identity, organizations collecting this data need to be clear about their purposes for doing so and the privacy safeguards they have in place.
- Data protection impact assessment (DPIA) is a process that helps determine and minimize the risks of data breach
- Data protection plans, risk solutions, and project viability are integral functions under DPIA
- DPIA forms an essential part of your accountability obligations, especially in projects that involve high-risk processing of personal data
- DPIA is mandatory under GDPR Article 35 in certain situations
- If you cannot mitigate the risks to a satisfactory level, don’t run the data processing activity and consult the data protection authorities
DPIA: when to do one
Organizations conduct a DPIA when they undertake a new data process or change a pre-existing one. One thing to note is that the assessment doesn’t have a blanket rule. It is tailored to the project at hand, considering the overall impact it could have on the individuals’ data being handled. There are generally three situations in which a DPIA should be carried out:
- Automated processing of personal data where the outcome of the processing has a legal effect on the person
- Large scale processing of special category data or data regarding criminal convictions
- Large scale and systematic monitoring of publicly accessible areas
DPIA: why it is important
The most important reason why you should be considering carrying out a DPIA is the legal obligations it entails. The assessment needs to be carried out where you are considering new types of processing. This can include the use of new services that process data on your behalf.
“Where a type of processing ... is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
Article 35 of the GDPR
If your organization has reason to believe that a change to the way you process data poses high risks to your customers, yet you fail to conduct a DPIA: you could land yourself in trouble with the authorities. The punishment for failing to comply with the law amounts to 2% of the global turnover of your company or €10 million – whichever is higher.
Fines levied by data protection authorities can pose an existential threat to medium-sized businesses. While the news is filled with fines issued to the biggest players, smaller businesses are also at risk.
As you can see from the figures in the image above, not being a large business doesn’t shield you from the law. If you are processing customer personal data, you need to conduct a DPIA before beginning any process.
Why DPIA is important
DPIA’s detailed structure means that it acts as a microscope into your organization’s conduct and core principles. It helps not only in the initial stages of a project to ensure privacy by design, but also creates transparency around policies which can be communicated to every department impacted by it.
Let’s take a closer look at some of the benefits of carrying out a data protection impact assessment.
A thorough DPIA instills confidence among higher management in your organization and demonstrates your commitment to data protection. You can even go the extra mile by publishing your DPIA report publicly, transparently informing customers and the general public about how, when, and why their data is processed in your organization. It’s worth noting, though: you don’t need to make the whole report public, considering the sensitive information it holds; just a summary with the key highlights can work well to boost trust with your customers.
GDPR audit tools such as DPIAs bring potential data privacy issues to the fore in your organization before they arise, allowing you to take preventative action. It is a way to bring about a more privacy-centric culture, with your staff experiencing a change in their approach and adopting a privacy-first model.
By identifying any issues in the early stages of your data processing activity (or even before it has begun), you can proactively patch any holes in your processes and optimize different aspects.
DPIA takes a dive into your users’ basic requirements, expectations, and queries regarding your data processing techniques. It acts as a trust-building exercise that, in turn, gives better recognition, relationships, and reputation in your area of business.
DPIA vs PIA: what’s the difference?
PIA or privacy impact assessment is a blanket term used by privacy teams to understand, evaluate, and implement privacy protocols in the organization’s design. It is applied either on existing systems or when you add a new business process to the mix.
DPIA, on the other hand, deals specifically with personal data processing, identifying and mitigating the risks before they arise. While PIA is a one-time process, you need to conduct DPIA on a continuous basis.
PIAs concentrate on the organizational changes that you must undertake to introduce a new business or technology. The alterations in the company’s privacy program and risks are studied and worked upon. On the other hand, DPIAs concern the impact of data processing on individuals; not the organization.
It is important to note that PIA and DPIA are often used interchangeably in the context of the GDPR. This is because the basic principles of the two are the same, involving four stages and four assessments at each stage:
- Defining the processing context
- Establishing compliance controls
- Assessing the risks to the data
- Validating the level of protection
- Parties involved
- Nature and scope
- Processing purposes
- Legislative requirements
Nevertheless, they are distinct and complementary. An application of both assessments ensures a holistic and comprehensive privacy plan for the organization and its processes.
DPIAs demonstrate your company’s commitment to accountability, privacy, and transparency. Since conducting the assessment is part of legislation to protect the rights and freedoms of people, DPIAs represent a report which explains your data processing methods under the GDPR.
While it is not legally binding to publish a DPIA report, it will boost trust with your customers and your brand image if you decide to do so. Publication of your practices opens up the organization’s workings to show that you take data privacy seriously.
GDPR Article 35 essentially requires your organization to justify the purpose and objective of using personal data against the risks involved. At the end of the day, you are the one who is expected to assess the measures required to minimize or prevent the risks involved and implement a solid policy across the board.