How to perform a data protection impact assessment (DPIA) under GDPR

A meter showing levels of risk, with then needle landing on the 'high' section
(Image credit: Shutterstock)

The EU's General Data Protection Regulation (GDPR) was designed to harmonise data privacy laws across all European countries and to provide greater protection and rights to individuals.

While regarded by many the world's strongest set of data protection rules, for some organisations the new legislation - which directly impacts all companies based in, or doing business with companies or individuals based in the European Economic Area (EEA) - brought with it significant disruption. Established processors and methodologies became non-compliant effectively overnight, leaving businesses facing a major upheaval in the way they collect and process data.

In order to minimise this disruption, and to demonstrate an ongoing commitment to the principles of GDPR, most companies are now legally required to perform an assessment of their current processes and identify any potential areas of risk.

What is a data impact assessment?

A data protection impact assessment (DPIA), sometimes referred to as PIAs (privacy impact assessments), is a mandatory requirement that all organisations must follow under Article 35 of GDPR. This article states that data controllers embracing new technologies that are likely to infringe on the rights and freedoms of data subjects must, prior to any data processing, conduct a thorough assessment of the impact on data protection that such activity is likely to have.

In reality, if a business is about to launch a new service that processes data, then a DPIA is typically required, as even the smallest risk that GDPR may be breached in some way will need to be assessed.

This is a key staple of GDPR that's been designed to ensure organisations are aware of the risks when launching any new product or service that involves processing people’s data. As such, DPIAs are foundational to an organisation’s data protection framework. Failing to comply with this key requirement could lead to a fine of up to €10 million or 2% of global turnover, whichever is higher.

The primary aim of the DPIA is to assess the risks potentially involved in processing data - not to eliminate these risks. This framework should be used, therefore, to reduce the potential risks in processing data by making decisions over what an acceptable level of risk is, internally, weighed against the desired results. Thankfully, the process of devising DPIAs is uncomplicated and can be done quickly, as there’s no strict template to follow. Any document, or exercise, that assesses risks in the way that suits your own business, and its operations, count as valid DPIAs.

If a business falls foul of GDPR as a result of the new process, having a DPIA record for that process will be considered an act of due diligence in the eyes of a data regulator. Conversely, a missing DPIA will likely lead to far tougher sanctions in the event of a breach of GDPR.

Do I need a data impact assessment?

All organisations that process data are required to assess the risk that processing poses to data subjects, both before processing occurs and after a system is implemented. This is to ensure that a company has thought ahead about how it uses data, has anticipated potential problems and has worked to address these.

The hope is that this will help to create more robust processes with data protection built-in from the ground up. In that sense, it's best to view these assessments as a means to improve your data processing practices early on, rather than as a compliance exercise.

Technically speaking, only those organisations which have types of processing that are likely to result in a high risk to the rights and freedoms of individuals' are required to perform a DPIA. Risk, in this sense, refers to a remote chance of harm to an individual, whereas High Risk suggests this is more likely.

That means companies are only required to perform this initial screening test to determine if they need to do a DPIA. Generally speaking, any processing that could involve evaluation or scoring, automated decision-making, highly sensitive or highly personal data, data related to vulnerable subjects, systematic monitoring, large scale data sets, or new technological processes, would be considered factors likely to result in a higher risk to data subjects.

Also, automated processing involving systematic and extensive profiling, processing involving large scale use of sensitive data, and anything involving the monitoring of public spaces, all require DPIAs in order to make these legal.

However, because there are a number of benefits associated with DPIAs, and because the term risk' is only loosely defined under GDPR, it's considered best practice to perform a DPIA regardless of your circumstances.

In fact, following a number of conversations with various spokespeople at the Information Commissioner's Office, it's clear that an organisation can significantly reduce the likelihood of regulatory action following a data incident if they're able to show evidence of a robust DPIA.

How do I perform a data impact assessment?

There is no strict template on how a DPIA should look, however, the Information Commissioner's Office does offer its own (pdf), if you wish to copy that or take some suggestions from it.

The ICO's recommended plan for performing a DPIA

Generally, all DPIAs should start early in the life of a project, before any data processing has taken place. They should also follow seven steps, as outlined below:

Step 1: Identify the need for a DPIA

In most cases, it's advised that companies keep a DPIA for each project that involves data processing. If your type of processing is listed in bold in the above section, then you will need to conduct a DPIA.

Step 2: Describe the processing

At this stage of the assessment, you should be prepared to describe how you intend to use the personal data, including how it's collected, stored, and accessed. It's also important at this stage to outline who will have the rights to access the data, who it will be shared with (including any processor relationships), how long it will be stored for, whether you are using cutting-edge technology as part of the process, and what security safeguards you have in place to protect it.

You are also required to explain the scope of the data you plan to process. This includes the type, the volume and variety of the personal data collected, how often you plan to process it, how long it will generally take to process, how sensitive the data is likely to be, and the number of data subjects associated with the data set.

You will also need to stipulate any internal or external factors that might hinder or change the expectations your organisation has when it comes to processing the data. For example, the extent to which data subjects are able to control the use of their data, how much processing is a data subject expecting, or whether the data relates to children or vulnerable people. Any factors that relate to your company's ability to process data should also be included here, such as previous experience processing similar data in the past, or changes to available technology.

Finally, every organisation is required to state the explicit reason for wanting to process the data. This can cover areas such as providing a service for an individual, or perceived benefits for wider society.

Step 3: Consider consultation

In most cases, you will want to consult with those individuals from which you are sourcing data in order to obtain views and an understanding of their expectations. There is no set way of achieving this, as GDPR only requires that you are able to provide documented evidence of this happening.

If you decide that consulting with individuals is not necessary, such as in those instances where there is a degree of commercial sensitivity, or that the process may undermine security, then this decision must be justified and documented clearly in your DPIA.

Step 4: Assess necessity and proportionality

The purpose of this step is to have your organisation assess whether the processing of data is essential to the performance of the proposed task - for example, could you achieve the same results without processing personal data?

It's at this point your DPIA should cover relevant information regarding your legal justification for processing data, and how your organisation seeks to maintain user privacy throughout the process. This includes details on any measures in place to support data rights, such as the right to erasure, and how this information will be communicated with data subjects.

Step 5: Identify and assess risks

It's here that the real bulk of the assessment will take place, essentially requiring you to explore the potential harm that your processing could create to data subjects, whether that's emotional or material.

Things such as losing control over their ability to control data use, inability to exercise data rights, the potential for identity theft, fraud, or financial loss, reputational damage, or loss of trust are all considered to be a risk to a data subject.

The biggest issue here is that risk' is loosely defined under GDPR, and so your organisation's definition may differ to another's. However, the ICO expects all organisations to consider the likelihood, and the severity, of any potential harm to an individual.

Innovative new technologies tend to always fall under the category of high risk. Specifically, any processing involving AI and its various disciplines (including facial recognition), smart technologies, internet of things, and autonomous vehicles would all create a high risk to the rights and freedoms of a data subject by default, regardless of your organisation's assessment.

Any processing involving data related to biometrics or genetics is also considered to be high risk, as is anything that involves comparing and matching data from multiple sources, even if it is used for beneficial services, such as fraud detection.

Step 6: Identify measures to mitigate the risks

In this section, your organisation is required to take what was found in Step 5, and come up with ways in which it could mitigate harm.

This could include reducing the scale of the proposed data processing, reducing the time that data is stored, or omitting certain types of data entirely. Equally, it may be that serious harm could come from a poorly implemented security system, and therefore you would need to detail specific steps that your organisation could take to remedy this.

In many cases, the list of proposed mitigations will depend heavily on the nature of your organisation and your processes.

Step 7: Concluding your DPIA

Here you are required to set out the steps your organisation has taken to remedy any issues raised during your assessment. This will include the nature of the risk as a result of these steps - whether you have eliminated it entirely or simply reduced it.

It's important to remember that as part of a DPIA you are not required to eliminate all risks to processing. In some cases, you may find that it is suitable to simply minimise the effect, or accept the risk as part of the processing.

It's here that you will need to gain approval to proceed from your data protection officer or equivalent.

Using your DPIA

As stated above, an assessment should be thought of as a tool for improving your processes, rather than as a compliance exercise. Once you have your DPIA completed, it will need to be fed back into your project and should be referred to throughout. This may involve refreshing your assessment as changes are made, or if you introduce new technologies.

Although there is no legal requirement to do so, it can be useful from a transparency perspective to publish your DPIA to the public. By doing so, your organisation is essentially holding itself accountable to the public, and makes it far easier for individuals to exercise their data rights. However, some organisations will want to withhold their DPIA, either because the information contains commercially sensitive data, or simply because they do not wish to be under unnecessary scrutiny.

If you are a public body, however, it's likely you will need to publish your DPIA in order to comply with the Freedom of Information Act.

Should the ICO know about my DPIA?

Simply put, if your DPIA identified a high risk to the rights and freedoms of data subjects, but you have taken steps to mitigate these to a point where you are satisfied, you do not need to involve the ICO.

However, if you identified a high risk, but you have been unable to reduce this and have simply accepted it as part of the data processing, you need to consult the ICO. No data processing can occur until this has happened.

If you find yourself in this position, you are required to email your DPIA to the ICO, drawing attention to the purpose of data processing and the measures taken to safeguard data subjects. The ICO will either accept your DPIA as is and allow you to process data, request for further consultation with your organisation, or reject the assessment. Rejection can lead to an official warning or an outright ban on any intended processing.

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.