There’s a pile of cooking books on your desk. It’s approximately a meter high. It’s full of wonderful and complex recipes for all kinds of different cakes. They are written by the most famous patissiers of the continent. The problem is that you do not only have to read all the recipes, but you have to compile it into one consistent new recipe for a cake that does justice to the tradition of all these famous patissiers. What do you do?
That, in a nutshell, is what we at PrivacyPerfect tried to do when we started rebuilding our DPIA module. DPIAs have been around much longer than the GDPR, and many organisations have their own. Then GDPR came, and put some slightly vague criteria on the table. We built our first DPIA module without any up to date guidance being available. But after that, the EDPB and many member state supervisory authorities started issuing their own ‘DPIA recipes’.
Imagine you work for a supervisory authority, and you’re allowed to define what a DPIA is, and what questions you have to answer in order to come up with a suitable result. You’re not bound by time or money. It’s just you, alone, with a lot of empty paper and the possibility to shape the future of DPIAs. What will be the result? Well, indeed, it will be a very extensive, very in-depth, and very time consuming framework. A masterpiece of the patissier.
Various of our employees and associates, in legal, tech and user experience, embarked on a quest to translate tons of guidance into easy-to-use software. Our goal was to support, as much as possible, the execution of a DPIA for people, like you, who don’t have all the time in the world to read recipes and bake cakes. And who don’t have the time or ambition to be part of the Great British Bake Off challenge.
So what we did is determining the necessary ingredients of a DPIA, translating these into chapters of the module. The first step in the recipe is to perform a pre-assessment, enabled by both the generic EDPB DPIA-triggers and the lists provided by national supervisory authorities. We indicate if a full DPIA is necessary based on the applicable triggers and then let you configure your DPIA in terms of the following chapters:
- Processing description: a description of the envisaged processing activities, in terms of its stakeholders, processed data and legal qualifications;
- Necessity & proportionality: an assessment of the adequacy of purpose limitation, the legal basis, data minimisation, storage limitation and data quality.
- Data subject rights: an assessment of how the right to information, consent, access, objection deletion, and data portability are addressed.
- Security controls: an assessment of whether the technical and organisational security controls suffice and if not, what mitigating measures could be taken.
- Threat/impact assessment: an assessment of the threats to confidentiality, integrity and availability, their likelihood of occurring, and the severity of their impact.
- Accountability: an assessment of the policies etc. adhered to, privacy by design and by default, and the consultation of data subjects and supervisory authorities
- Provide a clear structure for performing a DPIA, in terms of chapters and sections. You are free to follow that structure, or later enter any information that you left out because you needed input from other stakeholders at the time.
- Give you a maximum of freedom of entering your own information. There are no pre-set answers; you can enter any building block you want for each of the respective questions.
- Let you reach a maximum degree of efficiency by reusing information you entered before, so e.g. your suite of technical and organisational security measures is available for use in any assessment record.