Since May 25, 2018, organizations have been required to perform data protection impact assessments (DPIAs) under the General Data Protection Regulation (GDPR). Organizations use DPIAs to assess whether certain data processing activities are a risk to the rights and freedoms of individuals. However, because DPIAs are similar in name to the much more familiar PIA (privacy impact assessment), there has been some confusion among privacy and risk management teams, who have mistakenly considered them the same type of assessment. But DPIAs and PIAs are actually very different, helping teams achieve separate goals and assess different areas of privacy. This post focuses on the key differences between these two types of assessments and the roles they each play in a GDPR-compliant privacy program.
What is a Privacy Impact Assessment (PIA)?
A PIA is a standard process that privacy teams use to achieve privacy by design (the use of business and technology policies and processes to protect data efficiently). Many companies leverage PIAs when they are evaluating things like competitive advantage, product value, and cost effectiveness in design. PIAs are used to identify and mitigate organizational privacy risk and are usually conducted when a new business process is implemented, a new company is acquired, or a new product launches. PIAs can also be applied to existing processes, products, and systems when they are altered (e.g. when a company expands business into a new country or region).
What is a Data Protection Impact Assessment (DPIA)?
A DPIA is an as-needed document and is used to assist organizations in identifying and mitigating risks associated with the processing of personal data. The GDPR does not specify the types of processing that could result in risk; however, EU Member States have published their own whitelists and blacklists that provide guidelines around when DPIAs are necessary. Some examples include: sensitive data processing, large-scale data processing, and automated decision making.
Organizations can also use DPIAs as a way to demonstrate their compliance with the GDPR. DPIAs provide clear, documented evidence that an organization has evaluated the risk of certain processing activities and is able to demonstrate that it mitigated this risk and is aligned with the requirements of the regulation. Organizations can provide this documentation to regional and federal Data Protection Authorities (DPAs) if required.
The 4 Elements of a DPIA
While there are no concrete requirements for how an organization should conduct a DPIA, there are 4 main elements that organizations should include:
- A systematic description of the processing operations and their purposes (e.g. what and why are we processing the personal data?);
- An assessment of the necessity and proportionality of the processing operations in relation to these purposes (e.g. is there really a need to collect all of this persona data?);
- An assessment of the risks to the rights and freedoms of data subjects (e.g. how does this affect the data subject?); and
- The measures needed to address the risks, including safeguards to ensure the protection of personal data and to demonstrate compliance with the GDPR (e.g. what controls and mechanisms should we put in place to protect the data, the data subject rights, and to align with GDPR requirements?).
These four elements will help organizations focus on the type of data they are collecting and processing, the risks associated with data processing, and the likelihood of occurrence and their impact. A DPIA can help an organization determine the worst-case scenarios and prepare for or mitigate them.
What Happens After You Have Conducted a DPIA?
The GDPR does not require organizations to release the outcomes of their DPIAs, but organizations should maintain a full record of the privacy issues identified by their DPIAs and how they were addressed, in case a claim or investigation by a DPA takes place. If a DPIA finds that a processing activity is a high risk to data subjects’ privacy, then the organization must consult with their designated DPA to determine the next steps.
While both PIAs and DPIAs are critical to a privacy program, they have very distinct roles to play within an organization. PIAs focus on evaluating how business and/or technology changes and objectives affect a company’s privacy program and what privacy risks may arise as a result of these changes. DPIAs are much more granular, homing in on very specific processes and their impact on data subject, not only the organization. DPIAs do not replace PIAs under the GDPR, as some have assumed, but instead, complement them. Together, these two ensure a company has a more comprehensive and compliant view of privacy risk and a holistic plan to address and mitigate these risks.
Stay On Top of Global Privacy Trends
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.