Under the GDPR, DPIAs (data safety affect assessments) are obligatory for data processing that’s “likely to result in a high risk to the rights and freedoms of data subjects”.
Effectively a sort of danger evaluation, DPIAs assess how these high-risk data processing actions might affect data topics.
Failure to adequately conduct a DPIA the place required constitutes a breach of the GDPR.
Breaching the GDPR might result in administrative fines of as much as 2% of your organisation’s annual world turnover or €10 million – whichever is bigger.
So, it’s important to get it proper.
This DPIA guidelines outlines the seven key components of the DPIA course of circulation.
Step 1: Identify the necessity for a DPIA
You’ll must conduct a DPIA for data processing that’s “likely to result in a high risk”.
But the GDPR doesn’t outline “likely to result in a high risk” – so what does it imply?
Although the aim of the DPIA itself is to determine “high risk” intimately, you’ll must display for any crimson flags that point out that that you must do a DPIA.
As a place to begin, Article 35(3) units out three sorts of processing that at all times require a DPIA:
1) Systematic and intensive profiling with important results:
(a) a scientific and intensive analysis of non-public features referring to pure individuals which relies on automated processing, together with profiling, and on which choices are based mostly that produce authorized results in regards to the pure particular person or equally considerably have an effect on the pure particular person.
2) Large-scale use of delicate data:
(b) processing on a big scale of particular classes of data referred to in Article 9(1), or of non-public data referring to felony convictions and offences referred to in Article 10.
3) Public monitoring:
(c) a scientific monitoring of a publicly accessible space on a big scale.
Beyond this, the ICO (Information Commissioner’s Office) provides an intensive record of examples of processing “likely to result in high risk”.
Below is a simplified chart:
One option to rapidly and simply decide whether or not or not a DPIA is required is to make use of a devoted software program device, such because the DPIA Tool.
All you’ll must do is reply some fast screening questions, and also you’ll be suggested whether or not a DPIA is obligatory, advisable or not required.
If you’re assured that your processing is unlikely to end in a excessive danger, you could possibly justify a choice to not perform a DPIA. You ought to doc your causes for this.
Step 2: Describe the processing
You’ll want to elucidate exactly how and why you intend to make use of the private data you’re processing.
This description of the method will probably be helpful proof and justification on your resolution whether or not or to not conduct a full DPIA.
Your description ought to define “the nature, scope, context and purposes of the processing”.
Let’s check out every of those phrases in additional depth:
The nature of the processing is what you intend to do with the private data. Many several types of private data processing may be recognized within the GDPR:
When describing the character of the processing, you need to define:
- How you’ll accumulate and retailer the data.
- Who has entry to the data, and who you’ll share it with.
- Whether or not you employ any processors.
- How lengthy you’ll retain the data.
- What safety measures you might have in place to guard the data.
- Any new applied sciences or novel sorts of processing used.
The scope of the processing defines what the processing covers. When documenting the scope of the processing, you need to element:
- The nature of the private data.
- The quantity and selection of the private data.
- The sensitivity of the private data.
- The extent and frequency of the processing.
- The period of the processing.
- The quantity of data topics concerned.
- The geographical space coated.
Describing the context of the processing requires you to contemplate the larger image.
This consists of any elements, inner or exterior, that would have an effect on the expectations or affect, equivalent to:
- The supply of the data.
- Your relationship with the people.
- How a lot management people have over their data.
- How seemingly people are to anticipate the processing.
- Whether the people embrace kids or different susceptible individuals.
- Any related advances in know-how or safety.
- Any present problems with public concern.
Finally, you’ll want to elucidate the rationale why you wish to course of the private data. This ought to embrace:
- Your official pursuits (the place related).
- The meant end result for people.
- The anticipated advantages for you or society as a complete.
Software may help velocity issues up right here, too.
The DPIA Tool features a course of description questionnaire, divided into 4 sections: scope, nature, context and objective.
Answering all of the questions will allow you to rapidly create a scientific description of your processing actions.
Step 3: Consider session
Unless there’s a good motive to not, you’re required to hunt and doc the views of people (or their representatives).
In most instances, session ought to be potential in some kind. Let’s check out two widespread eventualities:
1) You’re processing the data of present contacts
If you’re processing the data of present contacts – say, present prospects or staff – you need to design a session course of to hunt the views of these concerned.
2) You plan to gather the private data of people you haven’t but recognized
In this state of affairs, it’s possible you’ll want to hold out a extra common public session course of. This might comprise market analysis inside a sure demographic or contacting related shopper teams for his or her opinions.
If, after session, your DPIA resolution goes in opposition to the views of the people, you’ll must doc your causes for disregarding their views.
Keep in thoughts that session gained’t at all times be applicable.
For instance, if it might compromise business confidentiality, or pose a danger to safety, it’s cheap to forgo the method.
However, in the event you resolve to take action, you need to file this resolution as a part of your DPIA, with a transparent clarification.
Step 4: Assess necessity and proportionality
First of all, let’s study what’s meant by necessity and proportionality.
Necessity is a elementary precept when assessing the lawfulness of the processing of non-public data.
It requires that your processing operations, retention durations and the classes of data processed are essential just for the aim of the processing.
Proportionality is a common precept of EU legislation.
In the context of non-public data processing, it requires that you just solely accumulate private data that’s sufficient and related for the aim of the processing.
In accordance with the Article 29 tips, you need to define the way you guarantee data safety compliance. This is an effective measure of necessity and proportionality.
Specifically, you need to embrace related particulars of:
- Your lawful foundation for the processing.
- How you intend to stop perform creep.
- How you plan to make sure data high quality and data minimisation.
- How you intend to supply privacy data to people.
- What measures you are taking to make sure your processors comply.
- Any safeguards you might have in place for worldwide transfers.
The ideas questionnaire included inside the DPIA Tool will allow you to rapidly assess the need and proportionality of processing.
It consists of eight sections protecting the person ideas of data safety, data topic rights and measures to guard data topics:
Answering the questions will present if and the way the method in query upholds the data safety ideas and data topic rights.
Step 5: Identify and assess dangers
It’s essential to contemplate any hurt or harm your processing could trigger to the people concerned. This may very well be bodily, emotional or materials.
In explicit, you need to contemplate whether or not the processing might contribute to important financial or social drawback. This consists of:
- Inability to train rights.
- Inability to entry companies or alternatives.
- Loss of management over the usage of private data.
- Identity theft or fraud.
- Financial loss.
- Reputational harm
- Physical hurt.
- Loss of confidentiality.
- Re-identification of pseudonymised data.
To assess whether or not the chance is excessive, that you must take into consideration each its probability and severity of the potential hurt.
A danger evaluation matrix gives a easy method of doing that, quantifying the chance utilizing a easy scoring system:
Alternatively, the DPIA Tool consists of every thing that you must make an goal evaluation of the dangers.
Based in your danger evaluation, that you must set up the standards for accepting dangers.
Generally talking, there are three important standards for this: broadly acceptable, tolerable and insupportable. Here’s the way it seems in follow inside the DPIA Tool:
It’s value additionally contemplating your personal company dangers, for instance, the affect of regulatory motion, reputational harm, or a lack of public belief.
Step 6: Identify measures to mitigate dangers
Now that you’ve evaluated the dangers posed by your processing, you then want to contemplate methods to cut back that danger.
This might embrace:
- Refraining from accumulating sure sorts of data.
- Taking extra technological safety measures to guard the data.
- Training employees to make sure that dangers are anticipated and managed.
- Anonymising or pseudonymising data.
You’ll want whether or not the measure would cut back or eradicate the chance.
Take into consideration the prices and advantages of every measure when deciding whether or not or not they’re applicable.
Step 7: Sign off and file outcomes
To conclude your DPIA, you will want to file:
- Any extra measures you intend to take.
- Whether every recognized danger has been eradicated, lowered or accepted.
- The total stage of ‘residual risk’ after taking extra measures.
- Whether or not that you must seek the advice of the ICO.
It’s essential to do not forget that you don’t at all times need to eradicate each danger.
You may resolve that some dangers are acceptable, given the advantages of the processing and the difficulties of mitigation.
However, if there may be nonetheless a excessive danger, you will want to seek the advice of the ICO earlier than you’ll be able to go forward with the processing.
You don’t should be a GDPR skilled to finish a DPIA
Save time, cut back errors and simply exhibit the way you comply together with your data safety obligations with the DPIA Tool.
Suitable for organisations of all sizes, this easy-to-use device will velocity up and simplify the DPIA course of.
- Quickly decide whether or not that you must conduct a DPIA;
- Conduct constant, complete DPIAs;
- Identify dangers and decide the probability of their incidence and affect;
- Easily overview and replace DPIAs when modifications in processing actions happen; and
- Easily share data with stakeholders and your supervisory authority.
A model of this weblog was initially revealed on 4 September 2019.