It’s Time for Privacy Pros to Make a Strategic Shift
The importance of effective data privacy can no longer be ignored.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: April 3, 2024
Published: April 2, 2024
Even though it may not seem like it, the purpose of laws like the EU GDPR (General Data Protection Regulation) isn’t just for the EU to gain additional revenue through fines and penalties. They exist to protect individuals’ rights.
Businesses eager to avoid those fines and penalties and do the right thing for their audience will be quick to meet the obligations laid out in the GDPR. Some activities are a no-brainer, like asking for consent or providing notice. But no matter how well-defined a law is, certain activities will fall in a grey area.
That’s where DPIAs (data protection impact assessments) come in. They help businesses evaluate their activities to ensure that they don’t impinge on individuals' data privacy rights. Furthermore, they serve as an audit trail showing that businesses have done their due diligence should a data protection authority investigate.
Organizations may be used to the GDPR by now, but the DPIA requirement can still be somewhat opaque. That’s not to mention the other global privacy laws, like the U.S. state privacy laws, that are requiring assessments similar to DPIAs. In this blog, we’ll clear up some of the confusion and break down the essentials of DPIAs.
A data protection impact assessment (DPIA) is a risk assessment audit designed to assist organizations in identifying, analyzing, and minimizing the privacy risks that come with collecting, processing, using, storing, and sharing user data. It’s one of the key components required to comply with the GDPR.
The verbiage used in the GDPR is legal, technical, and a bit vague at times. According to GDPR, DPIAs are mandated for processing that poses a high risk to a person’s rights and freedoms or for certain large-scale processing of personal data. Guidance from data protection authorities (DPAs) states that you should conduct a DPIA for processing that is likely to result in a high risk to individuals. It is also considered to be good practice to conduct a DPIA for any other major project that requires the processing of personal data.
But what constitutes “high risk”? How big is “large scale”? And what types of businesses are most at risk?
Unfortunately, there is no clear definition for “large scale” or “high risk” set out in the GDPR. But there are steep consequences for non-compliance, so companies need to know if they are required to perform a DPIA.
Regulating authorities in member states such as Estonia, Greece, and the Czech Republic issued their own interpretive guidance to help make sense of the terminology. The head supervising authority in Estonia came out and said that the GDPR guidelines are too broad and that they would assume that data processing was “large scale” if it involved processing:
Estonia’s supervising authority also provided guidance on the definition of “high risk.” They called out services such as online banking, credit card data, e-signatures, data protected by communication secrecy, geolocation information, profiling with legal consequence, and even data about an individual’s financial status.
The UK’s Information Commissioner’s Office (ICO) guidance states that it’s not necessary to know whether the processing is “actually high risk or likely to result in harm” because that’s the job of the DPIA to assess. ICO, instead, recommends you ask yourself this question: Are there any features that point to the potential for high risk? In this instance, according to the DPA, you’re looking for red flags rather than specific parameters.
Some of these red flags include:
If any of these points apply to your organization, you need to know when to conduct a DPIA to maintain compliance with data privacy laws.
Review all things to consider for a Data Protection Impact Assessment: Download the DPIA Checklist
So now you know whether or not your organization must implement DPIA. But in order to maintain GDPR compliance, you have to complete them at the right time. DPIAs aren’t meant to be an afterthought; they’re an integral part of keeping your customers’ information private and protected.
One of the key aspects of the GDPR legislation is the principle of “privacy by design.” This means that technical and organizational measures to protect consumer data should be built into the business applications and processes that will handle that data. As a means of achieving privacy by design, data protection authorities recommend performing DPIAs to reveal risks and assess and demonstrate how an organization is protecting consumer data.
To achieve this, a DPIA is recommended anytime a company is creating a new product or feature that will collect or process personal information in a new or different way. Conducting a DPIA first in this way enables privacy by design — before an organization can build a new product or feature, DPIAs ensure that the privacy needs are considered first, rather than bolted on afterward.
That’s why a DPIA should be performed before the processing takes place and should become a part of business workflows in cases such as profiling, systematic monitoring of public areas or people, and processing data on a large scale. It is a crucial tool that must be deployed prior to the processing event. The findings in the assessment should then be used to consider and implement protections to mitigate the impact on an individual's privacy.
Here are some examples of events that will require a DPIA before processing begins:
In contrast, there are scenarios that probably don’t require a DPIA. Let’s say, you’ve already performed a DPIA on a product offered in the EU and you are adding new features that do not process personal information in a new or different way. In this case, a DPIA is likely unnecessary.
Organizations that perform data processing activities and who must comply with the GDPR should plan to make DPIAs a part of their workflows. If you need help starting out, you can reference the UK ICO’s page on DPIAs, which includes guidance and a DPIA template.
A DPIA should include the following:
A DPIA should assess factors like:
After the DPIA is complete and before processing begins:
While no U.S. data privacy law specifically requires a “data protection impact assessment,” many do require privacy impact assessments, or PIAs.
From a practical standpoint, there isn’t too much of a difference—if you conduct a DPIA, you’ll be meeting most of the requirements for a PIA. PIAs, however, have fewer formal requirements than a DPIA.
There are additional differences between DPIAs and PIAs. For one, a DPIA is an on-going process; you must continuously update your DPIA on a regular cadence. While that’s a smart thing to do for PIAs as well, PIAs are generally only required when some new data processing activity occurs, such as the launch or acquisition of a new business, the launch of a new product, the implementation of a new process, and so on.
That’s the general guidance, however. In reality, each state law has its own specific requirements around PIAs.
California, for instance, requires that PIAs be conducted for processing activities that present “significant risk to consumers’ privacy or security” or for any service, product, or feature that is likely to be accessed by children.
Other laws have similar requirements. Generally, if you’re wondering whether a new processing activity in the U.S. requires a PIA, consider whether it involves targeted advertising, the sale or sharing of personal data to other parties, the creation of a profile of an individual, or processing sensitive data. If it does, then a PIA is likely required.
Check out our U.S. Data Privacy Laws Guide to look up information for individual state privacy laws.
And if you’re looking for a way to make conducting DPIAs and PIAs easier, use Osano to:
Are you in the process of creating a DPIA but aren't sure where to start? Use this interactive checklist to guide you.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.