The concept of privacy impact assessments (PIAs) is not new to the IT security landscape, as they have long been a feature of data protection best practices.
However, under Article 35 of the EU’s GDPR, failing to conduct an adequate data protection impact assessment (DPIA) can now expose companies to costly administrative fines and penalties. Organizations that fail to conduct a proper DPIA are risking fines of up to €10 million or 4% of annual revenue, whichever is greater.
When and how to conduct a proper DPIA remains one of the GDPR’s most misunderstood requirements. All companies gathering or processing data of EU residents should be mindful of the GDPR’s requirements and be prepared to make changes to internal business practices to ensure compliance going forward.
DPIAs mandated in “high-risk” scenarios
In particular, the GDPR mandates DPIAs in scenarios “likely to result in a high risk.” Article 35(3) of the GDPR lays out a non-exhaustive list of situations requiring a DPIA:
- Using systematic and extensive profiling with significant effects;
- Processing special category or criminal offense data on a large scale;
- Systematically monitoring publicly accessible places on a large scale;
- Using innovative technology;
- Using profiling or special category data to decide on access to services;
- Proving individuals on a large scale;
- Processing biometric data;
- Processing genetic data;
- Matching data or combining data sets from different sources;
- Collecting personal data from a source other than the individual without first providing them with a privacy notice;
- Tracking individuals’ locations or behaviors;
- Profiling or targeting children for marketing or online services; or
- Processing data that might endanger the individual’s physical health or safety in the event of a security breach.
When determining whether a process is “high-risk,” companies must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
How do I know whether a DPIA is necessary?
Companies should make a concerted effort to document review of data processing procedures and determination of whether or not a DPIA is necessary, even when ultimately deciding not to conduct a DPIA. This documentation will assist in defending against any compliance challenge.
Our flow chart may be helpful to companies evaluating whether a DPIA is necessary:
Next steps for DPIAs and PIAs
If a DPIA is deemed necessary, companies must be mindful that there are important and significant differences between GDPR-mandated DPIAs and traditional PIAs.
First, GDPR requires the company to describe the nature, scope, context and purposes of the data processing. Below is a non-exhaustive checklist of topics to consider and answer:
- What is the nature of the personal data?
- How much and what variety of data will be collected?
- How will data be collected and stored?
- How sensitive is the data?
- What is the extent, frequency, and duration of the processing?
- What is the company’s relationship with the individuals?
- Who will have access to the data? Who will it be shared with?
- Are any processors used?
- How long will data be retained?
- What security measures are in place to protect the data?
- What, if any, new technologies or novel types of processing are used?
- How much control will individuals have over their data?
- How likely are individuals to expect the processing?
- Will the individuals include children or other vulnerable populations?
- What are the company’s legitimate interests for collecting/processing the data?
- What are the company’s intended outcomes for the individuals?
- What are the expected benefits for the company and for society as a whole?
Companies must then assess the necessity and proportionality of their data processing under the guidelines established in Article 29 of the GDPR and general principles of international law.
In this analysis, companies should consider the risks the processing poses to individuals, as well as any measures the company can or will take to mitigate those risks. If a DPIA identifies a high risk that cannot mitigated, organizations must consult the relevant supervising authority before starting the processing. The supervising authority will provide written advice on how to proceed.
Conducting a sufficient DPIA may require consultation with not only a data protection officer, but also departments not typically involved in IT matters, as well as relevant experts and legal counsel.