Europe has consistently been ahead of the curve when it comes to data privacy laws, but now the rest of the world is catching on.
After the EU GDPR (General Data Protection Regulation) was introduced, many industries had to make sweeping changes in how they protect and use consumer data. It was the first legislation of its kind meant to broadly protect consumers’ rights over their own data.
Maintaining compliance with privacy laws is crucial to avoid massive fines and participate in building a safer, less intrusive web. One of the requirements of the GDPR and other privacy laws that companies must comply with is the completion of DPIAs, or data protection impact assessments.
DPIAs were introduced as an element of the GDPR in 2018. The legislation requires organizations in certain jurisdictions to perform a DPIA before specific projects or processing activities.
However, since DPIAs and the GDPR are so new, there is still a lot of confusion about who must implement a DPIA and when. And to add to the confusion, individual states in the US are passing their own data privacy laws that will require DPIAs as well.
What is a DPIA?
A data protection impact assessment (DPIA) is a risk assessment audit designed to assist organizations in identifying, analyzing, and minimizing the privacy risks that come with collecting, processing, using, storing, and sharing user data. It’s one of the key components required to comply with the GDPR.
The verbiage used in the GDPR is legal, technical, and a bit vague at times. According to GDPR, DPIAs are mandated for processing that poses a high risk to a person’s rights and freedoms or for certain large-scale processing of personal data. Guidance from data protection authorities (DPAs) states that you should conduct a DPIA for processing that is likely to result in a high risk to individuals. It is also considered to be good practice to conduct a DPIA for any other major project that requires the processing of personal data.
But what constitutes “high risk”? How big is “large scale”? And what types of businesses are most at risk?
Who should implement a DPIA? When?
Unfortunately, there is no clear definition for “large scale” or “high risk” set out in the GDPR. But there are steep consequences for non-compliance, so companies need to know if they are required to perform a DPIA.
Regulating authorities in member states such as Estonia, Greece, and the Czech Republic issued their own interpretive guidance to help make sense of the terminology. The head supervising authority in Estonia came out and said that the GDPR guidelines are too broad and that they would assume that data processing was “large scale” if it involved processing:
- 5,000 data subjects’ “special category” information (e.g., racial or ethnic information, political opinions, health data, and other sensitive types of data)
- 5,000 data subjects’ criminal conviction information
- 10,000 data subjects’ high-risk data
- 50,000 data subjects’ other information
Estonia’s supervising authority also provided guidance on the definition of “high risk.” They called out services such as online banking, credit card data, e-signatures, data protected by communication secrecy, geolocation information, profiling with legal consequence, and even data about an individual’s financial status.
The UK’s Information Commissioner’s Office (ICO) guidance states that it’s not necessary to know whether the processing is “actually high risk or likely to result in harm” because that’s the job of the DPIA to assess. ICO, instead, recommends you ask yourself this question: Are there any features that point to the potential for high risk? In this instance, according to the DPA, you’re looking for red flags rather than specific parameters.
Some of these red flags include:
- Using novel technologies and applications such as artificial intelligence and machine learning
- Profiling and automated decision-making regarding an individual’s access to products, services, and other benefits
- Systematic monitoring
- Widespread use of biometrics
- Routine collecting or processing of sensitive personal information
- Collecting or processing the personal information of children
If any of these points apply to your organization, you need to know when to conduct a DPIA to maintain compliance with data privacy laws.
When to conduct a DPIA
So now you know whether or not your organization must implement DPIA. But in order to maintain GDPR compliance, you have to complete them at the right time. DPIAs aren’t meant to be an afterthought; they’re an integral part of keeping your customers’ information private and protected.
One of the key aspects of the GDPR legislation is the principle of “privacy by design.” This means that technical and organizational measures to protect consumer data should be built into the business applications and processes that will handle that data. As a means of achieving privacy by design, data protection authorities recommend performing DPIAs to reveal risks and assess and demonstrate how an organization is protecting consumer data.
To achieve this, a DPIA is recommended anytime a company is creating a new product or feature that will collect or process personal information in a new or different way. Conducting a DPIA first in this way enables privacy by design — before an organization can build a new product or feature, DPIAs ensure that the privacy needs are considered first, rather than bolted on afterward.
That’s why a DPIA should be performed before the processing takes place and should become a part of business workflows in cases such as profiling, systematic monitoring of public areas or people, and processing data on a large scale. It is a crucial tool that must be deployed prior to the processing event. The findings in the assessment should then be used to consider and implement protections to mitigate the impact on an individual's privacy.
Here are some examples of events that will require a DPIA before processing begins:
- A bus system implementing onboard cameras to monitor passengers and drivers
- An HR department planning to use a new system to process employee records
- A corporation using biometric data for access control
- A crypto wallet application collecting personal information to verify user identities
- A genealogy organization collecting and processing genetic data
- A marketing firm deploying a machine learning algorithm to personalize triggered emails
In contrast, there are scenarios that probably don’t require a DPIA. Let’s say, you’ve already performed a DPIA on a product offered in the EU and you are adding new features that do not process personal information in a new or different way. In this case, a DPIA is likely unnecessary.
What should be included in a DPIA?
Organizations that perform data processing activities and who must comply with the GDPR should plan to make DPIAs a part of their workflows. If you need help starting out, you can reference the UK ICO’s page on DPIAs, which includes guidance and a DPIA template.
A DPIA should include the following:
- Whose data you are processing
- What kind of personal information you will use
- A description of the nature, scope, and context of the processing
- How, or the purpose for which, you will use the personal data that you are processing
- Identification and assessment of risks to individuals
- Any measures you will take to minimize and prevent risk to the individuals involved
A DPIA should assess factors like:
- Is personal data processing necessary and proportionate to meet your goals?
- Are the risks involved worth the desired outcomes?
- Is there a need to contact a supervising authority?
After the DPIA is complete and before processing begins:
- Assess if there is still a high risk to individuals after mitigation and weigh the severity of any impact on individuals.
- Publish the DPIA with sensitive information redacted.
- Integrate the results of the DPIA into the project plan.
- Track and monitor the project against the DPIA to maintain privacy.
The future of DPIAs
It’s becoming clear that the GDPR has inspired the next generation of data privacy laws. At first, there was some contention and controversy about getting these laws passed. Eventually, people realized the benefits of improved protection for sensitive personal information. And now, the US is set to enact three state privacy laws that require DPIAs:
- The Virginia Consumer Data Protection Act (VCDPA), effective January 1, 2023
- The Colorado Privacy Act (CPA), effective July 1, 2023
- The California Privacy Rights Act (CPRA), effective January 1, 2023
- The Connecticut Data Privacy Act (CTDPA), effective July 1, 2023
Each has a nuanced approach to data privacy, but they all require DPIAs in specific situations. You can learn more about the different state privacy laws in our eBook titled "Comparing the state privacy laws: A quick reference guide."
And if you’re looking for a way to make conducting DPIAs easier, use the Osano Data Discovery platform to keep track of what data you have, where it lives, and who has access to it. Sign up for a demo today