Carrying out a Data Protection Impact Assessment (DPIA) is often considered a challenging task by data protection professionals due to the complexity of the process, which often involves big and detailed projects, and relies on the involvement and support of other stakeholders within an organisation. Fortunately, there are several methods that can help make the performing of DPIAs easier, simpler, and more efficient. In this blog post, our privacy experts highlight the key steps that may help make the process painless.
Revise, update, refresh
Before embarking on the journey of performing a DPIA, you may find yourself wanting to revise the exact steps. The first solid step of DPIAs is to conduct a pre-assessment or high level screening, to see if a DPIA is actually necessary. You will need to understand the nature, scope, context and purpose of the data processing. This includes inventorying data flows, internal departments, external entities involved in the processing activity, and further personal data. An important factor to keep in mind is that a DPIA is necessary whenever a processing is likely to result in a high risk to the rights and freedoms of involved individuals.
If the pre-assessment reveals a likely high risk, a DPIA should be conducted. Once it has been clear that the DPIA indicates high risks which cannot be mitigated, consultation of the supervisory authority is a must.
Set-up your DPIA network
Conducting a DPIA requires contribution from other stakeholders, which are in most cases:
- The controller, as in the organisation that determines the purposes and means of the processing of personal data. The controller is also responsible for making sure that the DPIA is carried out. The actual process of carrying out the DPIA may be done by carried out by someone else, such as advisors, or an external service, but the controller will still remain in full control and will take full accountability for the task. One of the main tasks for the controller is to seek the views of the data subjects or their representatives. It is vital that the controller also documents their own justification if they decide to not seek the views of data subjects. If an issue arises, say, the data controller’s final decision differs from the views and opinions of the data subjects, the reasons for going ahead (or not going ahead) with an initiative, should be documented.
- Specific Business Unit may propose to carry out a DPIA - i.e. before launching a new project. They should then provide input for the DPIA, and be involved in the DPIA validation process itself as well.
- Chief Information Security Officers, as well as the DPO, may advise the controller to carry out a DPIA on a specific processing operation, and should help the stakeholders on the methodology of the process. They should also help to evaluate the quality of the risk assessment and whether the risk is acceptable, as well as develop knowledge specific to the data controller’s context.
- Experts of Different Professions may be involved. When applicable, it can be helpful to seek advice from independent parties such as, IT experts and security experts, who may shed a different light on the steps of a DPIA.
Gain C-level support
Convincing management to take privacy with priority can already be difficult, let alone getting the support for conducting a DPIA. Usually, there is no sense of urgency outside the “inner circle” of DPOs. So how will you get the support you need? According to our experts, the below can be helpful:
1. Demonstrate the risks and benefits
Once you’ve provided management with the full picture on the importance of the GDPR and how it affects your organisation, you will be able to start a base on the importance of conducting a DPIA. Make sure that every privacy compliance initiative will provide management:
• The ability to prove stakeholders that your organisation prioritises privacy.
The opportunity to avoid danger of reputation damage or the risk of being fined by breaching a privacy law.
The overall belief that customers and clients will trust you even more.
2. Create a privacy culture
It’s also important to inspire other stakeholders within the organisation itself, as it will create a sense of urgency. For this, it’s wise to educate colleagues on all levels within your organisation. This means that the people who are responsible for carrying out or reporting data processing activities within their respectful departments shouldn’t be the only ones informed.
3. Share your results transparently
Measure the impact that has been made and keep notes. Make sure that stakeholders and higher-level management all see what has been done and with what results each month through easy-to-read reports.
Use automation to make the process more efficient
DPIAs take time - a lot of time. Therefore, being able to make your work more efficient plays a key role. For this, automation can be very helpful. Using a compliance software with built-in automation for pre-assessments, complete data protection impact assessments, and for collaboration on these records, will not only save time, but will make the process more streamlined and efficient, with a lesser chance of human errors.
If you are interested to see how automation can help, please have a look at this page, or if you would like to experience it yourself, please sign-up to PrivacyPerfect’s 14-days free trial, where you can easily cruise through processes and tasks with a close eye on everything.