DPIA – an underestimated privacy-friendly tool

A data protection impact assessment (DPIA) sounds like something big, complicated and problematic. Well, it is true. Especially considering that the text of the General Data Protection Regulation (GDPR) does not have any clue about the methodology of conducting it – and you will only find it in the recommendations of the EDPB and state data protection authorities. That is why we have prepared a quick guide to DPIA to help you consider: what is it, when is DPIA necessary, why and how to conduct it?

What?

DPIA stands for Data Protection Impact Assessment. It is a process designed to identify and assess the potential risks and impacts that certain data processing activities may have on individuals’ privacy and data protection rights. A DPIA is typically conducted when a new project involving the specific processing of personal data is being implemented. Its purpose is to help organizations identify and minimize privacy risks by evaluating the processing activities’ necessity, proportionality, and compliance.

When?

First, a data controller needs a DPIA in cases prescribed by the Art. 35 (1) (3) of the GDPR, when conducting a DPIA is a direct obligation, namely:

(a) when you conduct automated decision-making, including profiling and base decisions that produce legal effects concerning the natural person or similarly significantly affect the natural person on their results;

(b) when you process on a large scale special categories of data (health or children data), or of personal data relating to criminal convictions and offences; or

(c) when you systematically monitor a publicly accessible area on a large scale.

In sum, DPIA is needed where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. 

For example, you track the behaviour of your customers. To do this, you need to define the scope of tracking: what are you monitoring and analysing? This may include the duration of the customer’s decision-making, the range of products among which they choose their preferred product, price categories, other characteristics of products, as well as the customer’s behaviour on the website, their computer mouse movements, movement around the store, etc. In such cases, the controller is obliged to assess the impact of the proposed processing operations on the protection of personal data before starting processing, and the criteria given as an example must be clearly formulated and documented.

These cases also include regular and systematic monitoring of data subjects. This notion is not defined in the GDPR. But according to WP29 guidelines, it clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising. However, the notion of monitoring is not restricted to the online environment.

So, conducting DPIAs demonstrates a commitment to compliance with data protection laws, such as the GDPR. If you fail to carry out this assessment, it can lead to GDPR fines of 20 million or 4% of revenue, whichever is higher. Article 35 of the GDPR also allows Data Protection Authorities (DPAs) to issue blacklists of Processing Activities. These lists contain all activities for which you are required to conduct a DPIA to avoid GDPR fines, even if the processing operation does not meet the test requirements established in Article 35 GDPR.

But more broadly, business is unrestricted by the abovementioned cases and may implement a DPIA as a competitive advantage in today’s privacy-conscious landscape. What are we exactly talking about? Let’s check.

Why? 

The primary goal of a DPIA is to enable businesses to identify and address data protection risks early in the development process. By doing so, organizations can implement appropriate measures to ensure compliance with relevant data protection laws and regulations and enhance transparency.

The nature and the approach of conducting a DPIA foresee that the business identifies and assesses potential privacy risks associated with its data processing activities. By proactively identifying and mitigating these risks, it can avoid data breaches, costly regulatory fines, and reputational damage. This position represents the business as a responsible custodian of personal data, setting it apart from competitors that may have suffered privacy incidents. So, DPIA is a proactive risk management tool. 

At the same time, if you aim at building your service or product with privacy by design and privacy by default principles, DPIA can become a real magic wand. It’s simple: embedding DPIA into your development process helps you integrate privacy considerations into the early stages of product or service development. As a result, you can create products and services that better meet your customers’ data security expectations. For example, an online platform for medical services collects clearly defined categories of data for each type of research that can be ordered, and in no case collects redundant information.

So, DPIA is the process of identifying all risks to personal data, recording them and compiling a list of actions to minimise these risks. You will be able to assess what architectural, operational, and procedural steps need to be taken so that your business can confidently call itself “GDPR Compliant”. In case of a data subject’s requests or even a penalty investigation, you will have solid proof that you have taken all possible (and commercially reasonable) steps to protect the data entrusted to you.

How?

The answer to this question may vary, depending on the particular business and data processing activity. In general, before and when conducting a DPIA, an organization should consider the following seven key factors:

1. Define the relevant jurisdictions’ applicable data protection laws and regulations. Identify the specific legal requirements regarding DPIAs, including situations where they are mandatory or strongly recommended. 
2. Determine whether the data processing activities being undertaken meet the criteria that trigger the requirement for a DPIA. This includes activities such as large-scale processing of personal data, systematic monitoring of individuals, automative decision-making, profiling, or processing of sensitive data categories like health data or criminal records.
3. Evaluate the methods used throughout the data lifecycle, covering all stages – collection, processing, transfer, storage and deletion. Consider the scope, nature and purpose of the data processing and the potential impact on privacy and data protection rights. By the way, the GDPR does not directly define what exactly is meant by “large” data processing. For this purpose, it is necessary to refer to the guidelines of the supervisory authorities, which usually indicate the following criteria: the number of data subjects whose rights may be at risk or the proportion in relation to the population; the geographical extent of processing; the amount of data to be processed, as well as the duration and regularity of processing activities, etc. 
4. Identify and assess potential privacy risks associated with data processing activities. Consider the likelihood and severity of these risks to individuals’ rights, freedoms and legitimate interests. Assess the possible consequences of such risks and the likelihood of their occurrence.
5. Engage all the necessary stakeholders involved in the data processing activities, including data subjects, data controllers, data processors, and other relevant parties, and seek their input on privacy concerns, risk assessment, and risk mitigation measures. This may also involve engaging privacy professionals, data protection officers, or external consultants with relevant knowledge and experience.
6. Identify and evaluate existing security measures and privacy safeguards in place. Assess the effectiveness of these measures in mitigating privacy risks and address any identified gaps or vulnerabilities. Consider technical and organizational measures to ensure the protection of personal data.
7. Properly document the results of the DPIA, including the risk assessment methodology and measures implemented to address identified risks. This will ensure compliance with the accountability principle set out in the GDPR and demonstrate adherence to data protection authorities, if necessary. 

Going further

We believe DPIAs are underestimated as an effective tool for protecting customer and user data. As consumer concerns about data privacy are rising, companies prioritizing privacy and data protection can significantly improve their market position. With the help of DPIA, businesses can take a rational set of measures to ensure the security of customer data and build customer trust and satisfaction.

So, if you are planning to launch or have already launched a project and are not sure whether the GDPR imposes on you an obligation to conduct a DPIA or if you want to clearly understand the nature and scope of your service’s data processing and adequately build the project architecture based on privacy by design and privacy by default principles, our data protection lawyers can help you with this.

GDPR compliance for tech companies

Anastasiia Poltavtseva

IT lawyer at Legal IT Group