Conducting a DPIA is often seen as a rather challenging task. But, there are ways still to make it a little easier. We have highlighted the steps to get through conducting a DPIA in the least painless way possible. We’ve put down aspects from pre-assessment elements, through overcoming the struggles of getting support and involving key players, to how you can cut through the edges and simplify processes.
Where do we begin?
Before embarking on the journey of performing a DPIA, you may find yourself contemplating which steps to take exactly. The first solid step of the DPIA is to conduct a pre-assessment or high level screening to see if a DPIA is actually needed. You will need to understand the nature, scope, context and purpose of the data processing. This includes inventorying data flows, internal departments, external entities involved in the processing activity, and further personal data. An important factor to keep in mind is that a DPIA is needed whenever processing is likely to result in a high risk to the rights and freedoms of involved individuals.
If the pre-assessment reveals a likely high risk or the flashy red flags start being flown around, a DPIA should be conducted. Once it has been clear that the DPIA indicates unacceptably high risks which cannot be mitigated, consultation of the supervisory authority is a must. An example of this could be a scenario where it seems very certain that a risk will occur, such as a well-known vulnerability that may affect a large group of people if not dealt with.
There's just no “I” in “team”
Conducting a DPIA requires contribution from other parties just as it requires time and patience. It is indeed a journey. So who is usually involved in the process?
The Controller: The organisation that determines the purposes and means of the processing of personal data. They are also responsible for making sure that the DPIA is carried out. The actual process of carrying out the DPIA may be done by someone else, such as advisors, or an external service, but the controller will still remain in full control and will take full accountability for the task.
One of the main tasks for the controller is to seek the views of the data subjects or their representatives. It is vital that the controller also documents their own justification if they decide to not seek the views of data subjects. If an issue arises, say, the data controller’s final decision differs from the views and opinions of the data subjects, the reasons for going ahead (or not going ahead) with an initiative, should be documented.
Specific Business Units: Specific business units may propose to carry out a DPIA when see fit, the units in picture should then provide input to the DPIA and should be involved in the DPIA validation process itself as well.
Chief Information Security Officers: The CISO, as well as the DPO, may advise the controller to carry out a DPIA on a specific processing operation, and should help the stakeholders on the methodology of the process. They should also help to evaluate the quality of the risk assessment and whether the risk is acceptable, as well as develop knowledge specific to the data controller’s context.
Experts of Different Professions: When applicable, it’s helpful to seek advice from independent parties who specialize in their profession. This may include lawyers, IT experts, and security experts, who may shed a different light on the steps of a DPIA.
The DPIA assessment requires a significant amount of communication between various parties, which is something that should never be undermined. As a controller, having a clear overview of the different parties, as well as processings, will not be an easy task. With all the different processings going on and the different responsibilities, getting all the help you need will definitely smoothen the process. As it’s a team game from here.
Getting the support you need
Convincing management to take privacy with priority can already be difficult, let alone getting the support for conducting a DPIA. Usually, there is no sense of urgency outside the “inner circle” of DPOs. So how will you get the support you need? According to experts, these are a few steps that can be taken:
Point out the importance
Once you’ve given the full picture on the importance of GDPR itself and how it affects your organisation, you will be able to start a base on the importance of conducting a DPIA. Highlight the business side of conducting a DPIA for your organisation, and make sure that every privacy compliance initiative will give management:
• The ability to prove stakeholders that your organisation prioritises privacy.
avoid danger of reputation damage or the risk of being fined by breaching a privacy law. The opportunity to
trust you even more. The overall belief that customers and clients will
It’s also important to inspire other parties within the organisation itself, as it will create a sense of urgency. For this, it’s wise to educate the people on all levels within your organisation. This means that the people who are responsible for carrying out or reporting data processing activities within their respectful departments shouldn’t be the only ones informed.
Create a culture
Involving staff and getting them motivated around the topic of privacy will also be a great benefit. Covering importance on personal data and the actions that one can take to protect it may excite them and thus create a larger visibility on privacy.
Information is power. Measure the impact that has been made and keep notes. Make sure that stakeholders and higher-level management all see what has been done each month by creating reports with language and visuals that everyone can understand.
Not a “30 minute or less” checklist
Unfortunately, DPIA assessments are not a 30 minute checklist and not something that can be wrapped up on a Friday afternoon over tea. It takes time, careful management, and close handling as ad hoc tasks may arise from time to time. Therefore it is vital to keep an eye on everything that is going on within the entire process.
An alternative solution
With the need to break down these processes and conduct them in a way where time is of the essence, automation provides a way. These automated tasks then replace the manual methods in ways where it can be done much quicker - and also with less chance of error.
There is always the advantage of tracking and tracing each progress. With the help of software, complete history and actions that have been done on the DPIA (including dates, times and even names) will be visible. Besides convenience, automation helps minimise the level of errors and risks which in summary improves an organisation’s overall cyber security and security in general.
Hard work pays off
Though conducting a DPIA is a gruelling task, the benefits that come along with it surely makes it worth. Once you’ve understood the steps, gathered the support needed, and maintain full control over the processes both main and ad hoc, you’ll then find it to be a very insightful and smooth process.
To learn more about the exact steps you need to take to perform a DPIA, we have made a comprehensive guide for you in this whitepaper. If you are interested in cutting the edges and simplifying the entire process through automation, we would also recommend you sign-up to PrivacyPerfect’s 14-days free trial where you can easily cruise through processes and tasks with a close eye on everything.