We are excited to be releasing our biggest feature this year - the Data Protection Impact Assessment (DPIA). In this article we look at the challenge of providing a DPIA, what the ECOMPLY solution looks like and what you will see on the ECOMPLY software as a result.

The difficulty of performing a DPIA (and why it is hard to write a software for it)

Article 35 of the GDPR lists the requirement of performing a Data Protection Impact Assessment or DPIA. By adding this article, presumably, the law makers wanted to add an extra layer of protection for high-risk operations and bring controllers to consider a risk-based approach (in contrast to an allowed/not-allowed approach). However, the 11 paragraphs of Article 35 only provide hints of what a DPIA really means in practice. Although many years have passed since Article 35 was written, only very limited advice is available from official sources and experts have been discussing the pros, cons and hows of DPIAs in length.

The first difficulty in a DPIA is that it is supposed to be performed on operations ‘likely to result in a high risk’ (paragraph 1) and then provide ‘an assessment of the risks’ (paragraph 7.c). This creates a circular argumentation where in order to determine whether a DPIA is necessary, a DPIA needs to be performed. The limiting factor here is that performing a DPIA takes considerable effort and is unfeasible to do on every operation in an organization. Authorities try to address this problem by providing white lists (where definitely no DPIA is needed) and black lists (where a DPIA is mandatory). But so far, these lists are somewhat vague and short, leaving lots of room for interpretation.

Risky operations require a risk assessment.

The second difficulty arises from the actual execution of the DPIA. Article 35 only states what the result of a DPIA shall contain. It does not provide instructions on how to reach these results. Authorities have been shortspoken on this matter. As it stands today, the (notoriously hard to use) CNIL PIA tool remains the only practical assistance tool for this problem. 

How to get to a risk assessment?

The third difficulty is staffing. Performing these tasks requires expert knowledge in the field and years of training with tools and topics. There are not enough people who are qualified to perform (or contribute to) a DPIA for all of the legally required DPIAs. It is infeasible to train enough people in an organization to be able to perform DPIAs in their respective departments. If they are done at all, they are usually written inside legal or data protection departments with little or no knowledge of the actual processing activity at hand. This leads to a dilemma where DPIAs are either:

• Prohibitively expensive due to the amount of staff and time involved
• Or solely academically written and far from reality (providing no real value in actual risk assessment)
• Or not done at all

Risk assessments are incredibly resource intensive.

The difficulty in providing a software solution for a DPIA is bridging the gap between the data protection expert (who has the knowledge needed to understand DPIAs) and general staff (needed to do DPIAs).

The ECOMPLY solution

The ECOMPLY solution for DPIA draws from years of experience. We have been watching closely what authorities are communicating on the topic. We have been speaking at length with our customers. We are following what thought leaders in the industry are saying about the topic.

The result is a combination of the considerations (difficulties) listed above, yielding a pragmatic solution. That means our solution is not only based on the legal text, claiming to leave it to others to put it into practice. Instead, it is meant to be used right out of the box, every day, in practice, by real people, yielding tangible results.

Risk-based Process

Ultimately, the DPIA is about risks. It is supported by identifying necessity and proportionality of the DPIA. Any activity or data collection that does not support these goals is omitted. To achieve this, the DPIA has been streamlined to the following steps:

1. Clarifying necessity
2. Clarifying proportionality
3. Identifying risks
4. Quantify risks
5. Identify measures
6. Quantify measures
7. Calculate overall risk

Results-oriented Process

ECOMPLY focuses on the results of the DPIA. A DPIA is not an end in itself. Rather, a DPIA delivers results that were previously unknown. The ECOMPLY DPIA yields 

• individual risks, 
• individual measures 
• and an overall risk score for a processing activity. 

The entire DPIA is neatly summarized for any interested party, like management, auditors or authorities.

Simple Process

Practical recommendations for performing a DPIA instruct readers to involve many well-trained people. While this is easily said, it is not easily done. In practice, this is prohibitively expensive. 

Anyone responsible for a privacy program will tell you from experience that if you set the bar for a DPIA too high, you will not end up with more DPIAs but with no DPIAs. The reality here is that this problem has to be tackled in many iterations, over the course of years. Start with a simple DPIA process that people can actually tackle. If it is too easy and your organization runs out of DPIAs you can always increase the level of detail when you revisit a DPIA.

For these reasons, the ECOMPLY DPIA process is designed to be the simplest one that still provides valuable results. It guides people who are unfamiliar with the topic to a meaningful outcome. This is achieved by the following design considerations.

The process is designed linearly. The person filling out the initial DPIA progresses straightforwardly (no loops, no going back) and without blockers (causing the user to quit in confusion or frustration). 

The process is so simple that no personal (human) instructions need to precede it. The software guides the user through the process. 

Users see the consequences of their actions. They do not have to fill out seemingly meaningless fields. It is transparent why they are doing what they are doing and how far they have progressed. 

At all times, the user is presented with explanations, thought provoking questions and templates to pick from - so he is never confronted with an empty field and no idea how to fill it.

The process has been streamlined and cut down enough to allow for a first-round DPIA in less than two hours. The philosophy is that a small DPIA is better than no DPIA.

Disclaimer: To achieve this simple process, some details had to be omitted. It is easy to identify places where more could be done or the level of detail could be greater. In fact, we have identified those places and have omitted them deliberately to achieve the goal of a simple process. We are convinced that the reason for the lack of DPIAs right now is not that they are not needed but that they are too time consuming to be done.

What this looks like in practice

If you are looking for a smart, streamlined DPIA assistant, we are happy to demonstrate our solution. During the tour, you will see how necessity and proportionality are determined. Once this foundation has been established, the DPIA assistant guides the user through the creative and analytic process of identifying and quantifying risks. Risks need to be mitigated by measures. The entire process is neatly summarized in interactive in-browser reports and static PDFs that can be emailed.