Do I need a Data Protection Impact Assessment to avoid GDPR fines?
Companies due to rapid technological development can conceptualize and develop new and innovative business models. However, a lot of times companies introduce changes within their workings that requires them to process huge amounts of data. In this case, they have to do a Data Protection Impact Assessment (DPIA). If you conduct a DPIA, it will help you understand and execute compliance to avoid GDPR fines.
Everytime, you make a change, according to the General Data Protection Regulation (GDPR), you need to do an impact assessment. The change you introduce can be a technological one or a structural one. Regardless of the type of change, you need to do an impact assessment. If you fail to carry out this assessment, it can lead to GDPR fines of 20 million or 4% of revenue, whichever is higher.
In this article, we aim to provide businesses with a basic understanding of a Data Protection Impact Assessment (DPIA). We also give you the pointers you need to conduct one to avoid gdpr fines.
Who needs to do a Data Protection Impact Assessment?
We have so far in our research and experience not found an answer that experts would agree upon. GDPR enthusiasts have not been able to answer it sufficiently. We came up with some pointers to make it easy for you to understand. Here are the essentials you need to consider in order to avoid the gdpr fines:
- If your organization processes Special Categories Data (refer to the Defining Data Categories under the GDPR to know more)
- Companies/organizations that process data on a large scale (refer to the Defining Large Scale section to know more)
- If your organization/company does profiling of individuals
- Companies/organizations that directly target their service/product towards children
Article 35 of the GDPR also allows Data Protection Authorities (DPAs) to issue blacklists of Processing Activities. These lists contain all activities for which you are required to conduct a DPIA to avoid gdpr fines. You can add these in your DPIA template as well to refer to later. Here’s a list that the German Authorities have come up with.
Below is Daniela Duda's (a renowned specialist in Germany) answer to this question.
What is a Data Protection Impact Assessment?
The European Union (EU) introduced the Data Protection Impact Assessment as a tool under the General Data Protection Regulation (GDPR). The GDPR recommends it for doing a risk analysis of the threats that a processing activity in a business entails.
If you introduce a new technology in your organization which automates processing activities you need to do an assessment. You need to leverage it to assess and ultimately reduce the risks of the processing. If you reach the conclusion that it results in considerable harm for the individuals involved, consult the DPA as well.
The Data Protection Impact Assessment will help you organise your projects as well as simultaneously help you dodge gdpr fines.
What does the General Data Protection Regulation (GDPR) say about DPIA?
According to Article 35, you as a controller are responsible for carrying out an assessment:
“Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.”
Article 35(3) stated above lays out the rules for when exactly an assessment needs to be carried out. In short, it states that you have to carry out a data protection impact assessment for any type of processing. It becomes especially important when you introduce new technologies, and analyse how data will be processed using these technologies.
Moreover, you need to take into account the nature, scope, context, and purposes of the processing itself. If you recognize a high risk to the rights and freedoms of natural persons then go back to project planning. You must integrate a data protection impact assessment before you start the project. You, as the controller, also have to consult with the relevant Data Protection Authority (DPA) if there are high risks.
If you use the DPIA template or customize it for use by your company, add the article of the GDPR. This will serve as a guiding legal basis and can be referred to at any time.
Defining Nature, Scope, and Context
To make it simpler for you to understand, let’s take an example:
A hospital records and processes the health data of its patients. The nature of the processing is defined as the type of data that you are processing. For example, as a doctor you collect blood samples and the history of illnesses. You use this data to prescribe a treatment or medicine so the person can recover.
All this data, under the GDPR, is categorized as PII. The scope of the processing is defined as the scale of your processing activity. Basically, it asks who has access to data and how much data are you processing. So, in our example a doctor examines 30 patients after listening to their complaints and records their information. This data can be processed by 15 doctors who have access to the data. So nurses for instance, cannot access the data. Processing is also not automated. A doctor can look at the stored data but there is no algorithm that analyses it and suggests a diagnosis. In the future, those 15 doctors can use this data to diagnose the patients as well. You need to define how long you keep this data as well in Records of Processing Activities document. This would be the scope in our example.
The context is defined as the situation in which the data is recorded and processed. In this case, it is the hospital and the legal basis is consent. So when a patient comes in, you need to explicitly ask them for consent for their data. If it is a regular patient, you won’t need to do this every time they come in. However, if you change something in the processing then you need to inform them again.
These pointers need to be clearly mentioned and sketched out in your DPIA template.
Defining Data Categories under the GDPR
If you understand these categories, you can conduct a Data Protection Impact Assessment easily. You can also train your project managers to be able to distinguish between data categories. The General Data Protection Regulation defines personal data as any information of an individual which can help you identify them.
This data could be any professional data or any other private data that a person can have. It also includes data that is indirectly identifiable through cross referencing. An example is a matriculation number assigned to you at university or your IP address.
Special Category of data is another typology of data under the GDPR as set out by Article 9. It lays out the framework for processing of sensitive data. Sensitive data is defined as any data that could reveal the racial and ethnic origins or political or religious views. It also includes any data that reveals trade union membership, health data or other biometric data.
If you process sensitive or personal data you needs to record it under the GDPR as Records of Processing Activities documentation. You need to do this record keeping for all processing of data.
Further Data Categories
Here are some further definitions, according to Pegasystems, that you might find useful:
Data concerning health is defined by the GDPR as personal data related to physical or mental health of an individual. It includes the provision of health care services, which reveal information about his or her health status.
Genetic data is defined by the GDPR as personal data relating to inherited or acquired genetic characteristics of an individual. It includes data that gives unique information about the physiology or the health of that natural person. It’s any data that you get from an analysis of a biological sample from the natural person in question.”
Biometric data is personal data from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual. It’s any data which allows or confirms the unique identification of that natural person. Examples are facial images or dactyloscopic data. (Pegasystems, 2018)
Defining Large Scale
Processing data on a “large scale” is difficult to define and there is much ongoing debate about the legal terminology. If you process data on a large scale, you have to conduct a DPIA to not get gdpr fines. So what exactly is large scale? According to EC Europa:
“The GDPR does not define what constitutes large-scale. WP29 recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:
- The number of data subjects concerned - either as a specific number or as a proportion of the relevant population
- Volume of data and/or the range of different data items being processed
- The duration, or permanence, of the data processing activity
- Geographical extent of the processing activity.”
This is also what we know for sure:
- If you’re processing Special Category data, then even with one data subject because you have to conduct a DPIA. Add this as a footnote in your DPIA template.
- As a freelance practitioner, any number of data subjects more than average require a Data Protection Impact Assessment. Examples of freelancers are doctors, lawyers, or other professions dealing with clients. Any number of data subjects more than average in your particular field is considered large scale.
- Similarly, as an organisation where data processing is an integral part of your business you need a DPIA. If it is a regular activity then based on the following factors, you can justify why or why not you are processing on a large scale: number of data subjects, the volume of personal data and geographical locations.
Here are some examples you can add in your Data Protection Impact Assessment:
“...processing of patient data in the regular course of business by a hospital, processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards), another one is processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialized in these activities, processing of customer data in the regular course of business by an insurance company or a bank processing of personal data for behavioural advertising by a search engine processing of data (content, traffic, location) by telephone or internet service providers.
Examples that do not constitute large-scale processing include:
the processing of patient data by an individual physician
processing of personal data relating to criminal convictions and offences by an individual lawyer” (EC Europa, 2018)
As a form of guide and for your Data Protection Impact Assessment to effectively help you avoid fines, you can add these examples to your DPIA template to serve as a tool for understanding the process. Different Project Managers then can refer to the same document.
When is it necessary to conduct one?
You need to carry out a Data Protection Impact Assessment (DPIA) when you do systematic and extensive profiling. You also need to carry it out when you do significant decision-making about people. Especially, when it is done through automated processes or algorithms. When you use new technologies to process data on a large scale you need to do a Data Protection Impact Assessment.
Moreover, if you use technology that processes special category data or criminal offence data an assessment needs to be carried out. Any technology with which you process personal data and criminal offence data, you need to have a pertaining DPIA for it.
When you use profiling, automated decision making and processing of special category data do a DPIA. Especially when you use these processes to make decisions on opportunities and access to these opportunities, services or benefits. For example, getting a phone or network contract from a carrier or getting a loan.
Regular and Systematic Processing
When your organisation indulges in regular and systematic monitoring, a Data Protection Impact Assessment becomes necessary. EC Europa sums up the notion of systematic monitoring:
“The notion of regular and systematic monitoring of data subjects is not defined in the GDPR. But clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising. However, the notion of monitoring is not restricted to the online environment.”
If you are combining and accessing data from multiple sources to compare or match, a DPIA is also recommended. For instance, making shopper’s profiles from data you get from their social media public profiles or online shopping behaviour. If you are tracking the online or offline location and generate data through it, then a DPIA is also essential.
In case your company is processing children’s personal data you need to do an assessment. Even if you do this through automated decision-making or for marketing it requires a Data Protection Impact Assessment. You will also need a consultation with the DPA if the service or product is being marketed directly to them.
If you identify that processing of personal data could result in a risk of physical harm an assessment is required. Physical harm under the GDPR is considered very serious in nature.
How to conduct a Data Protection Impact Assessment?
Companies need to conduct a Data Protection Impact Assessment before the start of the project especially before the start of processing.
Step 1: Describe the Processing
You need to describe in detail the nature, scope, context and purposes of the processing. Make sure that you ask your data processors to collaborate with you in order to fully understand and document their processing activities and identify any associated risks.
For instance, if you are tracking shopping behaviour, you would define the scope of the tracking. What exactly do you track? Do you track what consumers buy, the products they look at, how long they look at a product? This needs to be stated clearly.
You also need to state why exactly you are doing the tracking: to make useful, personalised, recommendations. Answer the question of how you protect the data. Where the servers are located, what’s the necessity of the processing activity and basically answer all the questions that you would look at when you do your standard records of processing activity. You need to document all of this for your processing activity.
Step 2: Identify the risks of the processing activity
Work together with your team to identify all the risks that this activity might have for the rights and freedoms of the individuals from whom you are collecting the data. We check that the processing is necessary for and proportionate to our purposes, and describe how we will ensure data protection compliance. The assessment of severity of risks to individuals rights and interests needs to be done as objectively as possible.
Step 3: Document everything!
You need to document all of this for your DPIA including any disagreements you have with your Data Protection Officer (DPO). After documentation, you can move forward to implementing the measures you have integrated into your project planning.
Hauke Holtkamp advices companies to “...track statistics as opposed to making profiles.” He elaborates by giving the example of ECOMPLY.io:
“We want to understand how our users go through each step to comply with the GDPR. To see how much time our users spend on each step so we can make the app better by analysing further the steps where more users get stuck. It can easily be done anonymously by not making profiles of our users but just by looking at statistics of each step. This way we incorporating the principles of privacy within our app.”
Challenges of conducting a DPIA
When companies use external parties to conduct a Data Protection Impact Assessment, the challenges they face are that the clients do not want to carry out the Data Protection Impact Assessment due to lack of awareness of what it constitutes and what its consequences might be. Therefore, usually there’s a fear that somehow carrying out one would result in restricted business practices and options.
Another issue is the lack of information to enable a Data Protection Impact Assessment to be carried out fully. This is due to two reasons, first because the GDPR is relatively new and only a small percentage of the companies are somewhat compliant. This means that they are not fully aware of their data pathways and trajectories making the documentation in the DPIA a bit difficult to complete.
There’s also a negative connotation attached to the Data Protection Impact Assessment that it is extremely arduous and time-consuming. This puts off companies from embarking on any such assessment or investing time or financial resources into it even if it means huge gdpr fines.
Hauke Holtkamp, Cofounder of ECOMPLY.io, having talked to their customers says that the:
“The biggest challenge for our customers is to figure out where to start since right now there’s not much reference material. Also, a lot of business model depends on some non-compliant processes. However, a DPIA is a good instrument for realizing where in your business you have non-compliant processes.”
Benefits of a Data Protection Impact Assessment
Conducting a Data Protection Impact Assessment before the start of a project will allow you to be aware of the information flow within the project from the very beginning.
- It will improve your communication regarding data privacy to different stakeholders
- You can garner confidence among your user-base and customers that you process their data responsibly
- Your organization can ensure that your users are not at risk and reduce the costs for when a security breach does take place
- It will also help you reduce operational costs by optimising the flow of information
- You will avoid gdpr fines by maintaining compliance
The GDPR is still a relatively new legislation and the DPIA has not been conducted by businesses at this point. It is firstly, extremely important to map all your business data flow and train your staff to understand how data flows through your business and is processed.
Your organization should also train staff to assess when a DPIA is needed and how to conduct it. You should see this as an integral part of compliance. In general,you should conduct a DPIA for any new process, employee or organization measure that you change.
According to Hauke Holtkamp:
A Data Protection Impact Assessment to avoid GDPR fines is incredibly hard to do as a business. First thing you should do is get structure of your processes. If you can formulate an ordered list of processes and go through it like a checklist stating which one is “harmful” and which is “harmless”. This will make it easy to structure the carrying out of the assessment if you have a good understanding of your processes. In the end, if you identify high risks for certain processes, make sure you implement measures to reduce those risks.”