Conducting a DPIA is an important method to demonstrate accountability for all the personal data processings within your organisation. Though executing a DPIA is not an easy thing to do, it is according to the GDPR in case of a high risk processing, mandatory to perform. In this blog we will discuss in short the importance of a DPIA and how one should be performed.
The city of Rotterdam has violated the GDPR according to the Dutch Data Protection Authority by using surveillance cars to track down ‘corona offenders’ who did not keep a sufficient distance of 1.5 metres on the street. This example showcases the importance of Data Protection Impact Assessments (DPIAs). While there were major privacy risks associated with the camera project, the municipality and the police failed to conduct a required Data Protection Impact Assessment in advance, therefore exposing citizens to unnecessary privacy risks.
The Dutch Data Protection Authority (AP) found that the images were retained for a period deemed too long -seven days-, the cars were intended for a different purpose namely “crowd control” at the Eurovision festival, and that civilians captured on camera were not correctly informed about it. Lastly, according to the AP, the recording of civilians was not necessary at all: the enforcers in the car could have passed on their findings via the walkie-talkie.
While it is uncertain whether the AP will impose a fine, it is certain that the municipality of Rotterdam has not assessed the privacy risks of this activity in a correct manner by conducting a DPIA and identifying the privacy risks prior to the activity. Therefore, we are going to discuss in short what a DPIA is.
So, what is a DPIA exactly, why it is needed, and how you can conduct one on behalf of your organisation in the most efficient and accountable manner.
The DPIA, what and why?
Article 35 of the GDPR introduces the concept of a Data Protection Impact Assessment and describes it as a process designed to describe the processing, assess its necessity and proportionality, and help manage the risks to the rights and freedoms of natural persons that result from the processing of personal data by assessing them and determining the measures to address them. Failure to carry out a DPIA can lead to an administrative fine of up to 10 million euros or up to 2% of the annual turnover. In other words, a DPIA is a process for building and demonstrating compliance. But as the person responsible who must conduct a DPIA: where do you start, how do you gather information, how do you identify risks, and how do you involve the relevant stakeholders?
Identify need DPIA
Before answering these questions, it is important to know that the controller is responsible for ensuring a DPIA is carried out. Starting with a DPIA, the controller must establish whether it is necessary in the first place. The general rule in Article 35 says it is necessary when a type of processing is likely to result in a high risk. What a high risk means is not explained by the GDPR, but you should ask yourself a high-level question: Are there any features in the processing that point to a high risk?. Article 35 of the GDPR sums up several scenarios in which a DPIA is mandatory. These scenarios are explained in more detail in the Guidelines on Data Protection Impact Assessments published by the European Data Protection Board. Furthermore, to explain when a DPIA is mandatory, several national supervisory authorities like the Dutch Data Protection Authority (AP) have formulated characteristics that, if applicable, require a mandatory DPIA. You can find the characteristics of the Dutch DPA here.
Conducting a DPIA
- Describe the processing
Assuming there is likely going to be a high risk, you will have to describe the processing and explain how and why you want to use the personal data that you intend to process. You can divide the description in the nature (what you plan to do with the data), scope (what data will be processed), context (internal and external factors that could affect expectations or impact) and purpose of the processing (why do you want to process the data?). Also check the legal ground that you aim to use for the processing, this could for example be “consent” or the “legitimate interest”.
- Check the relevant stakeholders within processing
After describing the processing, you will then need to answer the basic questions of the processing, such as what data will be processed, how much data will be processed, and where will it be stored for example (not exhaustive). These are questions the process owner or executing entity within your organisation will have to answer. It is therefore essential to identify the key stakeholders within your organisation so that you have the right input.
- Assess the risks
Moving on, after the processing has been described and all relevant information is gathered with the assistance of the stakeholders, the risks must be assessed. According to the GDPR these risks will mostly relate to the GDPR principles (for example purpose & storage limitation or data minimization), risks involving the data subject rights (for example the right to rectification, information, and access) or potential breaches because of a lack of technical & organizational security measures.
- High or low risk?
If, after assessing the risks, your outcome is that there is a low risk after all, you can consider the assessment finished and save it for any future reference. On the other hand, if you have identified high risks it’s important to propose measures that can help mitigate these risks. There are various mitigating measures you can think of depending on the risks that are involved. For instance, by processing fewer personal data items, applying a shorter data retention period and not sharing the personal data with third parties. If a high risk cannot be mitigated, you should consult your national data protection authority. After consultation, you will need to document all gathered information and prepare a final conclusion to your assessment as part of your accountability obligation.
- Need any help? PrivacyPerfect can assist you.
Even considering all the steps above, performing a DPIA in a correct and truly efficient manner is still a challenge. To help break down the complexity of DPIAs, PrivacyPerfect offers its DPIA module including pre-assessments, full DPIAs and also a light version where key stakeholders may directly share their input, instead of collecting it by lengthy interviews. Carry out pre-assessments and full DPIAs on a predefined framework based on the guidelines of the EDPB and national supervisory authorities, collaborate with colleagues with ease, and take advantage of smart automation to identify, mitigate, document and report on potential risks ahead of time.
- Interested? Sign up for the webinar!
Are you struggling with DPIAs, and you want to learn how to properly conduct a Data Protection Impact Assessment? Or are you interested in what PrivacyPerfect has to offer to assist you with this? Sign up for the upcoming PrivacyPerfect & LegalManager DPIA webinar on May 24th. During the webinar we will discuss best practices to conduct DPIAs and at the end we will also provide a short demo of the PrivacyPerfect DPIA assessment module. To register please click here.
Sources used for the blog:
- Data protection impact assessment (DPIA) | Autoriteit Persoonsgegevens
- When is a Data Protection Impact Assessment (DPIA) required? | European Commission (europa.eu)
- When do we need to do a DPIA? | ICO
- 'Rotterdam schond AVG met camerawagens voor handhaving coronaregels' - Security.NL
- How to Perform a Data Protection Impact Assessment (DPIA) (netwrix.com)
- IT Governance Blog: 7 key stages of the DPIA
- Microsoft Word - SPECTRE Deliverable 2.1 - mapping DPIA best practices.docx.pdf (spectreproject.be)
- 20171013_wp248_rev_01_en_D7D5A266-FAE9-3CA1-65B7371E82EE1891_47711 (1).pdf