The GDPR mandates a DPIA (Data Protection Impact Assessment) for data processing that may endanger the rights and freedoms of data subjects.
This type of risk assessment evaluates the impact of high-risk data processing activities on data subjects. Failure to conduct a DPIA when necessary violates the GDPR and may result in fines of up to 2% of an organization’s annual global turnover or €10 million.
To ensure compliance, this DPIA checklist outlines seven critical elements of the process flow.
Step 1: Identify Your DPIA Needs
A DPIA should be performed for data processing that is “high risk”.
However, the GDPR does not define “likely to be at increased risk”. So what does that mean?
Although the purpose of the DPIA itself is to further identify “high risk”, it is necessary to screen out the red flags that a DPIA should be performed.
As a starting point, Article 35 (3) GDPR provides for three types of processing that always require a DPIA.
1) Systematic and extensive profiling and significant effects:
(a) a systematic and extensive assessment of personal aspects relating to a natural person, based on automated processing, including profiling, which is the basis for decisions that produce legal effects relating to the natural person or similarly significantly affect the natural person; .
2) Extensive use of sensitive data:
(b) large-scale processing of special categories of data referred to in Article 9(1) or personal data relating to criminal convictions and crimes referred to in Article 10;
3) Public monitoring:
(c) large-scale systematic monitoring of publicly accessible areas;
Beyond this, the ICO (Information Commissioner’s Office, UK) has compiled an Extensive List of Examples of “Potentially High-Risk” Processing.
Below is a simplified chart.
One quick and easy way to determine if DPIA is required is to use a dedicated software tool such as the DPIA tool.
Just answer a few simple screening questions and we’ll let you know if a DPIA is required, preferred, or unnecessary.
You may be able to justify your decision not to carry out a DPIA if you believe that the processing is unlikely to lead to high risk. The reason for this should be documented.
Step 2: Process Description
You must explain exactly how and why you are using the personal data you are processing.
A description of this process can be useful evidence and justification for deciding whether to perform a full DPIA.
Your explanation is ” Nature, range, context and the purpose of processing.
Let’s look at each of these terms in more detail.
The nature of the processing is how we process your personal data. The GDPR allows you to identify different types of personal data processing.
When describing the nature of the processing, the following should be outlined.
- How we collect and store data.
- Who can access the data and with whom it is shared.
- Whether to use a processor.
- How long we keep your data.
- Security measures in place to protect your data.
- New technologies or new types of processing used.
When outlining the scope of a process, it delineates the areas the process encompasses. When documenting the processing scope, the following should be outlined:
- Type or nature of personal data
- Quantity and diversity of personal data
- Sensitivity of personal data
- Extent and frequency of processing
- Processing time intervals
- Number of data subjects involved
- Geographic regions covered.
To explain the context of the processing, we need to consider the big picture. This includes internal or external factors that may affect expectations or influences such as:
- of sauce of data.
- your relationship with individuals.
- ikura Control Individuals have their own data.
- possibility of an individual expect to process.
- whether the individual contains child or other People who are likely to become seriously ill.
- Related technological progress again safety.
- any current public interest.
Finally, you should explain why you are processing personal data. This should include:
- Your Legitimate Interests (if applicable).
- the intended result of an individual.
- Expected benefits for you and society at large.
Software can help speed things up here too.
The DPIA tool contains a process description questionnaire divided into four sections: scope, nature, context, and purpose.
Answering all the questions will help you quickly create a systematic description of your processing activities.
Step 3: Consider Consultation
An individual (or their representative) should be solicited and documented unless there is justification for doing so.
In most cases, there should be some form of consultation. Let’s look at two common scenarios.
1) You are processing existing contact data
If you are dealing with data from existing contacts (existing customers, employees, etc.), you should design a consultation process to solicit stakeholder input.
2) If you plan to collect personal data of an individual who has not yet been identified by you;
In this scenario, it may be necessary to go through the more general public consultation process. This includes market research within specific demographics and contacting relevant consumer groups for their opinions.
If, after consultation, the DPIA’s decision conflicts with the individual’s views, the reasons for disregarding that view should be documented.
Please note that consultation is not always appropriate.
For example, it is reasonable to waive a process if it could compromise commercial confidentiality or pose a security risk.
However, if you decide to do so, you should record this decision as part of your DPIA with a clear explanation.
Step 4: Necessity and Proportionality Assessment
First, let’s find out what is meant by necessity and proportionality.
Necessity: is a basic principle when assessing the lawfulness of the processing of personal data.
Processing operations, retention periods and categories of data processed must be necessary only for the purpose of processing.
Proportionality: is a general principle of EU law.
In the context of personal data processing, only the following personal data should be collected: appropriate and related For processing purposes.
You should outline how you ensure data protection compliance. This is a good measure of necessity and proportionality.
Specifically, you should include the following relevant details:
- your legal basis for processing.
- how to prevent feature creep.
- how are you trying to secure data quality and data minimization.
- how we provide private information to individuals.
- the steps taken by processors to ensure they are compliant;
- the safeguards you have for international personal data transfer.
The Principles Questionnaire included in the DPIA tool helps to quickly assess treatment needs and proportionality.
It consists of eight sections covering individual principles of data protection, data subject rights and measures to protect data subjects.
Answering the questions will tell you if and how the process in question upholds data protection principles and data subject rights.
Step 5: Identify and assess risks
It is important to consider the harm or damage your processing may cause to the parties concerned. This can be physical, emotional, or material.
In particular, it should be considered whether processing could lead to significant economic or social disadvantages. Also this:
- rights cannot be exercised.
- Inability to access services or opportunities.
- Loss of Control Over Use of Personal Data.
- identity theft or fraud;
- financial loss.
- Harmful rumor
- physical harm.
- Loss of Confidentiality.
- Re-identification of pseudonymized data.
To assess whether a risk is high, both the likelihood and the severity of the possible harm must be considered.
A risk rating matrix provides an easy way to quantify risk using a simple scoring system.
Alternatively, the DPIA tool contains everything you need to objectively assess risk.
Based on your risk assessment, you should establish criteria for accepting risk.
Generally speaking, there are three main criteria for this. widely accepted, tolerable, and intolerable. Here’s what it looks like in action within the DPIA tool:
It is also worth considering the company’s own corporate risks, such as the impact of regulatory measures, reputational damage, and loss of public trust.
Step 6: Identify measures to mitigate risk
Now that you have assessed the risks posed by processing, you should consider ways to mitigate those risks.
- Refrain from collecting certain types of data.
- We take additional technical security measures to protect your data.
- Staff training to ensure risks are anticipated and controlled.
- Anonymized or Pseudonymized Data.
It becomes necessary whether the measures reduce or eliminate the risk.
Consider the costs and benefits of each measure when deciding whether it is appropriate.
Step 7: Sign off and record results
To complete the DPIA, you will need to record:
- Additional actions you plan to take.
- Whether each identified risk has been eliminated, mitigated or accepted.
- The overall level of ‘residual risk’ after taking additional measures.
- Whether the supervisory authority needs to be consulted.
It’s important to remember that you don’t have to eliminate all risks all the time.
Given the benefits of processing and the difficulty of mitigation, we may determine that some risks are acceptable.
However, if the risk is still high, the supervisory authority should be consulted before proceeding.
You don’t have to be a GDPR expert to complete the DPIA
Save time, reduce errors and easily demonstrate how you are complying with your data protection obligations with the DPIA tool.
Suitable for organizations of all sizes, this easy-to-use tool speeds and simplifies the DPIA process.
- Quickly determine if a DPIA should be performed,
- Conduct a consistent and comprehensive DPIA,
- Identify risks and determine their likelihood of occurrence and impact,
- Easily review and update your DPIA when changes occur in your processing activities, and
- Easily share information with stakeholders and regulators.