data protection impact assessment (DPIA)

What is a data protection impact assessment (DPIA)?

A data protection impact assessment (DPIA) is a process designed to help organizations determine how data processing activities, systems, procedures and technologies affect individuals' data privacy and eliminate risks that might violate compliance.

Conducting DPIAs is a requirement of the European Union's General Data Protection Regulation (GDPR). Some U.S. states have implemented similar privacy assessment requirements, and many organizations voluntarily conduct DPIAs or similar assessments as part of their compliance processes.

In the case of the GDPR, companies must do a DPIA when they begin a new project that's likely to pose a significant risk to people's personal information. Organizations that fail to conduct a privacy assessment could face penalties, including a fine of up to 2% of the company's annual global revenue or 10 million euros ($10.8 million), whichever is greater. Outside the European Union, organizations that process or manage EU citizens' data are also subject to compliance with GDPR requirements, including DPIAs.

Data Protection Conversation with Joe Noonan of Unitrends

4:03

Purpose of a DPIA

DPIAs are an important part of an organization's overall data governance strategy. Many legal experts consider conducting DPIAs to be one of the most important parts of the GDPR. Its mandate requires companies to perform DPIAs before carrying out any data processing that could result in high risks to the rights and freedoms of individuals.

The GDPR's DPIA requirement extends to companies located outside the EU that collect and process the personal data of EU citizens. Whether mandatory or voluntary, the purpose of a DPIA is to identify vulnerabilities in the systems and processes that organizations use in gathering and handling sensitive information.

There are many different reasons to conduct a DPIA and circumstances where it is appropriate. According to the European Commission, the EU's legislative arm, a DPIA is mandatory at a minimum in these instances:

• An extensive, systematic evaluation of the personal aspects of an individual, including profiling.
• The processing of sensitive data on a large scale.
• The systematic monitoring of public areas on a large scale.

What to include in a DPIA

The GDPR and other privacy regulations don't outline a precise format for a data protection impact assessment or provide a clear DPIA template. Organizations can follow an approach that complements their practices and fits the frameworks they already have in place. However, a DPIA might include the following steps:

1. Identify a data processing operation that might have high risk of affecting an individual's rights and freedom.
2. Chart the flow of information during the process, including collection, storage, use and deletion.
3. List any threats or vulnerabilities to personal data collection.
4. For each risk, evaluate how to reduce the impact.
5. Record the outcomes of the DPIA in a report that is signed by executives.
6. Use the report to ensure the project plan follows guidelines as well as for privacy risk mitigation.

While organizations should conduct DPIAs in the early stages of planning a data processing program, the assessments should be ongoing. In addition, DPIAs should take into account risk management, especially with regard to individuals' privacy and the potential to compromise their personal data. Although a DPIA doesn't have to indicate that all data protection risks have been eliminated, it should help companies document them and assess whether any remaining risks are justified.

Many organizations conduct privacy impact assessments (PIAs), a method of identifying and assessing privacy risks in the development lifecycle of computer programs and systems. There is some overlap between DPIAs and PIAs.

Who should be involved in a DPIA?

Organizations managing personal data typically have data protection officers who oversee the DPIA process and ensure it's completed. Organizations that don't have a DPO often designate an employee who has the needed expertise as the DPO during the process.

Under the GDPR, a DPIA is the responsibility of a controller, which refers to the company or person who determines the methods used to collect and process data. For example, a bank that outsources data processing to a service still must complete a DPIA as part of GDPR compliance.

Data controllers assist the DPO in ensuring the DPIA is completed. Controllers provide legal expertise, help justify an organization's need for the processing of personal data and help determine the right type of processing.

Other professionals who participate in a DPIA include the following:

• Data processors who ensure compliant data processing.
• Data security staff who understand the tools and policies in place to secure data.
• Other employees who understand and handle sensitive data and privacy policies.

Situations that require a DPIA

Article 35 of the GDPR specifies that EU-based businesses must conduct DPIAs if their processes require the use or disclosure of sensitive and personal data. Certain U.S. states, such as California, Colorado and Virginia, require that DPIAs be conducted under similar circumstances.

Examples of situations where a DPIA should be conducted to proactively ensure the privacy and security of sensitive information include the following:

• A bank screening its customers against a credit reference database.
• A hospital planning to implement a new health information database with patients' health data.
• A bus operator getting ready to implement new technologies, such as onboard cameras, to monitor drivers' and passengers' behavior.
• A payment processing company implementing technology to collect consumers' biometric data, such as fingerprints and eye scans.
• A law enforcement agency tasked with protecting specific individuals, such as whistleblowers, which requires collecting their personal data and means of tracking them.

When it is unclear whether a DPIA is required, the assessment might still be carried out because it's a useful tool to help organizations comply with data protection laws and regulations.

Situations where a DPIA isn't required

There are cases in which businesses handling large data volumes aren't required to conduct a DPIA. Organizations that are transparent about their data activities, documenting them in ways that prove the types of data they collect and handle don't infringe or have significant effects on the rights of the data subjects, might be able to forgo DPIAs. For example, a DPIA wouldn't be required for community doctors processing the personal data of their patients when the processing isn't on a large scale and the number of patients is limited.

Private sector organizations in the U.S. already conduct risk assessments that are similar to DPIAs. They then disclose those results to prove compliance with local, state or federal regulations. This provides reassurance to customers, partners and other stakeholders. A DPIA might be unnecessary in those cases. For instance, organizations providing private health insurance in the U.S. must comply with the Health Insurance Portability and Accountability Act and conduct assessments similar to a DPIA to prove they are HIPAA-compliant.

Benefits of running a DPIA

DPIAs can be difficult and protracted processes. However, they offer a range of benefits even if conducted within a jurisdiction where it isn't mandatory. The benefits include the following:

• Meeting compliance standards. The final DPIA results can serve as definitive proof that mandatory compliance standards are met.
• Involving employees in data protection. Since DPIAs are a collective effort, the process ensures employees are aware of and implementing data protection requirements. It gives employees the opportunity to see where processes need to be refined.
• Sharing workloads. Using a DPIA to demonstrate compliance with one or more standards requires the participation of several data privacy and security professionals in an organization who are collectively working together so that the burden isn't on one person or team.
• Refining data retention policies. DPIAs let organizations see the risk involved in collecting too much unnecessary data, including the potential for data loss, privacy infringements and data breaches. The assessment can lead to revising data retention policies to emphasize data minimization, which ensures only necessary new data is being collected and retained.

Challenges of running a DPIA

Despite the benefits of running a DPIA, there are challenges to consider as well. They include the following:

• Effort required. DPOs and other data professionals have to set aside time to conduct a full DPIA. Documenting the entire process for the final DPIA report is tedious and requires input from privacy and security teams.
• Determining scope. Organizations need to take time to carefully identify what data should be included in a DPIA. Only data with privacy implications should be included.
• Reevaluations required. Since compliance standards and business processes can change, a DPIA must be reevaluated and updated regularly to ensure data protection measures remain current.

A successful data protection strategy involves key components that can help facilitate the DPIA process. Learn about the core elements of an effective data protection strategy.