What is a DPIA?
A DPIA determines whether a set of risks is acceptable from a privacy perspective. The scope of a DPIA is determined by the particular processing (activity) under scrutiny.
The tightest definition of a DPIA is provided in Article 35 of the GDPR where it says that a DPIA must produce the following results:
- The scope and description of the operation, i.e. “What are we talking about, here?”
- The necessity and proportionality of the operation in relation to its purposes, i.e. “Is this processing reasonable to begin with?”
- An assessment of the risks to the rights and freedoms of data subjects, i.e. “What could go wrong (and how wrong)?”
- A list of measures addressing the risks at hand, i.e. “What are we doing to make violations rarer and less harmful?”
In comparison, the Brazilian LGPD, Article 38, is shorter but with similar content stating that:
“The report shall contain:
- a description of the types of data collected,
- the methodology used for the collection and assurance of information security,
- and the controller's analysis of measures, safeguards and risk mitigation mechanisms adopted.”
Contents of a DPIA
While the goals and target result of a DPIA are clearly defined by law, the means to reach them are not provided. Let us look at each of them separately.
The scope is very straightforward to describe because it has large overlap with the Records of Processing Activities. Documenting a Processing Activity is the best way to set the scope of a DPIA. As a benefit, this saves time because the work done can be used in two different places.
Necessity and Proportionality
The principle of data minimization establishes that data should not be processed unless necessary to achieve the given purpose. For example, mailing paychecks does require knowing the addresses of the recipients. So to achieve the purpose of delivering paychecks, collecting, storing and processing addresses of employees is necessary. In contrast, collecting, storing and processing employee height and weight information would be unnecessary for the purpose of mailing paychecks.
On top of the necessity, a simple proportionality check is also needed. To stick with the example, would there be any other (reasonable) alternative to mailing paychecks that would be less invasive? If none can be found, then the proportionality is confirmed.
“Risks” is the collective term of any potential threat to the rights of data subjects. Risks are varied in the type of threat they can pose, the severity in case of occurrence and the likelihood of the event. Identifying and quantifying risks is essential to a solid DPIA.
To draw a complete picture of the risk situations, measures are considered that either reduce the likelihood or the severity (or both) of a risk. A simple example of a measure is an automated sprinkler system that assists in fire prevention. Measures do not need to be technical, they can also be organizational, like regular training for employees.
DPIA in Practice
In practice, it is hard to come up with comprehensive DPIA results in a reasonable amount of time. Focussing on the essentials is key.
DPIAs are not an end in themselves, but serve to identify risks so they can be addressed. The questions that need to be answered by the Data Protection Officer towards the end of every DPIA are:
- Are the identified risks acceptable (after considering the measures)?
- If they are not acceptable, are there additional measures that could be implemented to reduce the inacceptable risks?
- If such measures are not possible, should the processing be prohibited/stopped?
Answering these questions requires a comprehensive list of risks and measures available for assessment. In the end, risk matrices are a useful tool to visualize a risk situation consisting of multiple independent risks. But let us first consider how to reach that goal.
Step by Step
The first step is to determine the necessity of the DPIA itself. The ECOMPLY necessity assistant is built around good practice recommendations from data protection authorities around the world. Whenever a minimum threshold is reached, the assistant recommends to perform a DPIA. Answer these questions to the best of your knowledge.
Once the necessity for a DPIA has been identified, the DPIA assistant becomes available.
The first step of the DPIA assistant is determining the necessity and proportionality of the Processing Activity at hand. In most cases, the necessity and proportionality of the Processing Activity are confirmed. In the rare case of a negative outcome, there is no need to continue with the DPIA. The Processing Activity has to be reviewed instead.
Once the necessity of the DPIA and the necessity and proportionality of the Processing Activity have been determined, the actual DPIA starts. ECOMPLY assists first in identifying risks.
From a list of templates, mentally go through each combination of risk source, damage type and risk to consider whether you think this risk generally applies in this context. You can add custom risks that are not available from the templates. The system displays the number of risks identified.
Next, for each risk identified, make an estimate on the likelihood and potential severity. Note that these estimates are subjective and mainly assist in ranking risks (rather than establishing absolutes).
After step 3, all risks have been identified and rated. The next major step is about matching these risks with measures. In many cases, risks have known measures attached to them that immediately reduce their likelihood and/or severity. In other cases, the system reveals gaps - where risks are not matched by measures and remain unacceptably high.
First, for high and very high risks, identify measures that reduce these risks. You can select measures from a list of templates or add your own. It does not make a difference whether you combine measures inside one text field or multiple.
Once you have listed all the measures, estimate the remaining risk after these measures have an effect. Note that there is a difference between measures which are planned (for the future) and measures which are in place today. The remaining risks are different between today (actual) and future (goal).
In practice, this assessment is only possible for people who are familiar with the measures, for example, members of the IT department. You may have to include them in your assessment.
As a short last step, it is possible to attach files to the DPIA assessment. Usually, this is used for proof and accountability. Examples are vendor assurances, company policies or TOMs lists.
A summary of all available information is displayed at the end of the DPIA. A PDF report can be created with one click.