Data Protection and Impact Assessment is stated as the 35th article of GDPR. This article is run by “Protection by Design” principle and is a new addition to the GDPR Compliance.

The principle is –

“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”

The main objective of the DPIA process is to help identify and minimise the data protection risks of a project. Conducting a DPIA for necessary projects is now mandated, as they are an integral part of taking privacy by design approach.

A DPIA assessment is conducted for a project that involves processing of personal data. Be it a major project which includes high risk or minor projects this assessment is mandated. Ideally a DPIA should be conducted before and during the planning stages of a particular project.

A DPIA should –

  • Describe the nature, scope, context and purposes of the processing
  • Assess necessity, proportionality and compliance measures
  • Identify and assess risks to individuals
  • Identify any additional measures to mitigate those risks

DPIA applies if

  • If you’re using new technologies
  • If you’re tracking people’s location or behavior
  • If you’re systematically monitoring a publicly accessible place on a large scale
  • If you’re processing personal data related to “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”
  • If your data processing is used to make automated decisions about people that could have legal (or similarly significant) effects
  • If you’re processing children’s data

How to conduct DPIA (Data Privacy Impact Assessment)

A step by step process of DPIA is not specified in GDPR, yet it still allows for organizations to use a framework that helps and compliments their existing working practices. As for all companies it is mandatory for them to comply with this regulation. The basic steps to conduct a Data Privacy Impact assessment are –
  1. What is the need of DPIA? Identify!

    A DPIA should be conducted as early as possible within any new project life. It will be easier for any company to incorporate any findings and recommendations into the design of the processing operation before it’s too late. A DPIA is only mandatory where data processing is likely to result in a high amount of risk. This is where a GDPR helps where it explicitly mentions a few conditions that explains when a DPIA is necessary.

    1. An extensive evaluation of personal aspects that relate to persons which is based on automated processing. Automated processing includes profiling and it’s profiling is on decisions that are responsible to produce legal effects concerning the natural person or significantly affect the natural person.
    2. We have to process special categories of Data on a large scale or personal data relating to criminal offenses and convictions.
    3. A systematic monitoring of a publicly-accessible area on a large scale.
  2. Information Flow Description

    Once you confirm the DPIA is mandatory, the next step is describing the information flow. For instance, it is necessary to provide details on how the information within the processing operation is collected, stored, used and disposed.

  3. Identify Data Protections and Related Risks
  4. Identify Data Protection Solutions to reduce or Eliminate
  5. Sign off the outcomes of DPIA
  6. Integrate Data Protection Solutions into the Project

What Are the Benefits of a Privacy Impact Assessment?

  • There are several benefits that are associated with conducting privacy impact assessments.These benefits include:-
  • Provision of a system that allows for an early warning that privacy may be breached, implement safeguards, and prevent future privacy issues.
  • Avoidance of costly or detrimental privacy blunders.
  • Provision of evidence for an organization that they attempted to prevent and protect against privacy breaches. This allows for the reduction of damage to reputation, negative publicity, and liability.
  • Enhancement of informed decision-making procedures and processes.
  • Aids the organization in gaining the confidence and trust of the public.
  • Demonstrating to employees, customers, citizens, and contractors that the organization takes their privacy very seriously.
Severity and likelihood of individuals should be considered to assess the level of risk. A high risk could result from either a lower possibility of serious harm or high probability of little harm.

If there is a high risk that you identify and cannot mitigate, in this case UK’s ICO (Information Commissioner’s Office) should be consulted before you start the process.

Within 8-14 weeks the ICO will give written advice for complex cases that are identified, based on this we can either proceed with processing the data or issue a formal warning not to process it or ban the process altogether.