The General Data Protection Regulation (GDPR) seeks to improve users’ data protection standards across the EU. Users of websites or apps are provided with user rights regarding their data collection, storage, processing, and sharing, while businesses have obligations to protect user privacy. Most importantly, GDPR seeks to ensure that personal data is collected and processed securely.
A Data Protection Impact Assessment (DPIA), sometimes called a Privacy Impact Assessment helps organizations to ensure secure user data handling. It can identify potential risks and find solutions to any problems before they occur, thus ensuring user privacy and helping to avoid costs for non-compliance and retain user trust.
Read this blog to find out what is DPIA, whether is it necessary, and how to perform it.
What Is Data Protection Impact Assessment?
A Data Protection Impact Assessment (DPIA) is a process designed to identify and evaluate the potential risks associated with processing personal data where the processing could impact seriously the rights and freedoms of individuals. The assessment helps identify and fix issues at the early stages of any project, helping businesses avoid costs for non-compliance with the privacy laws.
DPIA takes into consideration the privacy-by-design approach when new data processing systems, technologies, methods, or projects are implemented or are planned to be implemented.
Failure to conduct DPIA can result in non-compliance with GDPR and could increase the possibility of data breach. Failure to perform it when necessary could lead to severe penalties and fines, which can be up to 4% of the organization's global annual revenue.
The DPIA must be documented and performed regularly. It is recommended to perform the Data Protection Impact Assessment once a year.
Is Data Protection Impact Assessment Mandatory?
Data Protection Impact Assessment is not necessary for all organizations. Under the GDPR, DPIA is mandatory when data processing is likely to result in high risk associated with processing the personal data of individuals.
DPIA should be carried out necessarily in the following scenarios:
- New technologies. The GDPR suggests performing the DPIA by default for high-risk projects that “involve using new technologies or are of a new kind and where no data protection impact assessment has been carried out before by the controller”. "New technologies" is not clearly defined in the GDPR, but the European Data Protection Supervisor gives the example of the Internet of Things as one of the examples. Technologies, involving Artificial Intelligence (AI), could also be considered as new technologies.
- Sensitive data. Organizations should perform DPIA when they perform large-scale processing of sensitive personal data or data relating to criminal convictions. Examples of sensitive data could be genetic, biometric or health data, race, religion or political views, sex preferences, union membership, and others. Under Article 10 of the GDPR, criminal record data is also considered sensitive data and should be processed with special care.
- Automated processing. Organizations should perform DPIA when they employ in their business practices systematic evaluation of personal data based on automated processing, including profiling of users.
- Video surveillance of public places. Organizations should perform DPIA when they monitor public places on a large scale. Often property, offices, stores, or public places are protected by video surveillance. It is not sufficient to inform individuals about video surveillance, but it is also necessary to carry out a DPIA and to assess the risks regarding individual rights and data leaks of related video data.
- Nature of the project. Some projects are riskier than others by nature. It depends on how organizations collect personal data, the methods they are using to store personal data, and with whom they share personal data.
- Scope of the project. The larger in scale the project becomes, the more likely the risk associated with processing the personal data of individuals or data breaches occur. Thus, even if organizations did not perform DPIA in the past and they complied with the GDPR, with the increase in scale of the project, they are gaining the new requirement.
Why Are DPIAs Important?
Conducting a Data Protection Impact Assessment is needed for several reasons:
- Legal requirements. Conducting a DPIA is a legal requirement under GDPR and other privacy laws such as UK's Data Protection Act 2018.
- Privacy by Design approach. DPIAs promote the Privacy by Design approach, meaning that organizations consider data protection and privacy at the early stages, while just planning a project or process, rather than solving DPIA-related problems later.
- Risk identification. DPIAs help organizations identify and prevent the risks associated with their data processing activities at the early stages. By understanding these risks, organizations can take measures to mitigate them and protect individuals' privacy.
- Transparency. DPIAs increase transparency by documenting data processing activities. This transparency helps to build trust with individuals and regulatory authorities.
- Accountability. By carrying out DPIAs, organizations demonstrate their commitment to GDPR compliance and data protection. It helps to establish a culture of accountability within the organization.
How to Conduct a Data Protection Impact Assessment?
The process of conducting a Data Protection Impact Assessment does not have a uniform format or strict template to follow. Any assessment backed with documental evidence could count as valid DPIA. For conducting a DPIA it is recommended to perform the following steps:
- Identify the need for a DPIA. First, determine if your data processing activity could affect the rights and freedoms of individuals. Consider factors such as the nature of the data, the scale of your project, the processing purposes, are there new technologies or automated decision-making used, large-scale personal data processing, or sensitive data processing.
- Describe the data processing. Identify the personal data being processed, the sources of the data, and the flow of data within your organization. This would include providing details like the nature, purpose, and scope of processing data and the context of processing the data. You should describe the following processes:
How is the data collected?
How is the data stored?
How is the data used?
Third parties with whom the data is shared.
Retention period of the collected data.
Security measures for protecting the data.
Use of new technologies, processes, or automated processing.
What are the criteria for considering to be high risk?
- Consider consultation. This is not a mandatory requirement of DPIA, but we strongly recommend consulting with independent experts about IT security, DPIA assessment, and GDPR compliance best practices. First, consult all the relevant internal stakeholders, especially the ones responsible for information security. Second, consider consulting data protection officers, individuals whose data is being processed, or supervisory authorities.
- Assess necessity and proportionality. Organizations should evaluate whether data processing is necessary for the performance of their tasks and business operations. The assessment should provide proof and document evidence for the following processes:
Lawful basis of the data processing.
Processes established to ensure data minimization.
Measures implemented to ensure data necessity.
Measures implemented to control data retention period.
Processes implemented to provide personal information to individuals upon request.
- Identify risk. Evaluate the risks associated with the data processing activity or re-identification of pseudonymized data. Evaluate the potential harm that could potentially result in an inability to exercise rights, access services, loss of control over the use of personal data, identity theft or fraud reputational damage, or loss of confidentiality. Identify the source of risk, consider the likelihood and severity of these risks, and whether they can be mitigated.
- Identify risk mitigation measures. Implement security measures to mitigate identified risks, such as data encryption, access controls, data anonymization, or pseudonymization. Additional measures include limiting the collection of data, reducing the retention period and the scope of processing, training staff, and having in place policies, procedures, and data-sharing agreements.
- Document outcomes of DPIA. Document the DPIA process and its outcomes and keep records of all the steps taken. Integrate the DPIA results into the project to fix issues and ensure compliance. The DPIA report must include the following information:
A detailed description of the project.
The scope of the DPIA.
An assessment of identified risks, related to the organization and client data protection and privacy.
Description of measures to mitigate risks and comply with GDPR guidelines.
Although there is no legal requirement to publish DPIA yet could be considered as a best practice to publish DPIAs in full or in part. This will help to increase customers’ trust. However, before publishing DPIA, get approval from the parties involved including the Data Protection Officer, supervisory authorities, or members of the management team.
- Keep under review and update. GDPR compliance is an ongoing process, so regularly review and update the DPIA to ensure that it remains accurate and up to date. Regularly verify whether the measures to mitigate the risks have been effectively implemented. You should also understand that the DPIA is a flexible and scalable process and can be designed to fit the needs of the organization as long as it addresses the key issues.
Data Protection Impact Assessment is a fundamental aspect of GDPR compliance. It enables organizations to identify and mitigate risks associated with data processing activities, protect individuals' privacy, demonstrate commitment to data protection, and build trust with data subjects and regulatory authorities. While assessing DPIA, execute each step carefully and seek legal help if needed. Remember to save a copy of the report with you. You are not obliged to report respective Data Protection Authority. However, if the potential risk is high, and your organization alone cannot minimize it, consult them for guidance. By incorporating DPIAs into their processes, organizations can be sure they handle personal data according to the law and do not violate GDPR principles.
CookieScript CMP- Your Solution for Data Privacy
It has the following functionalities:
- Google-certified CMP. CookieScript is a Google-certified CMP partner and comes with a full IAB TCF v2.2 integration.
- Supports Google Consent Mode v2. If you want to use Google services (GA4, Google Ads, gtag, and Google Tag Manager) in the EU or EEA, you need to use a Google-certified CMP.
- Local Storagge and Session Storage scanning and blocking. GDPR and other privacy laws require blocking of cookies, Local Storagge and Session Storage until user consent is given. However, majority of CMPs do not offer this functionality. CookieScript blocks both Local Storagge and Session Storage.
- Multiple integrations. CookieScript CMP integrates easily with Google services automatically via Google Tag Manager, so you could use Google advertisement products easily. The CookieScript CMP is also integrated with other platforms, including content management systems such as Drupal, Magento, Shopify, WordPress, PrestaShop, etc., and analytics platforms, including Google Analytics 4.
- Fully customizable. CookieScript CMP allows Cookie Banner behavior adjustments, and design customization, and has a self-hosted code option.
- Language and jurisdiction support. CookieScript Cookie Banner and cookie declaration report is translated into 30+ languages and has geo-targeting.
- Easy to set up. CookieScript CMP could be easily implemented in just a few steps in a privacy laws-compliant way using banner settings hints for different jurisdictions.
Frequently Asked Questions
What is Data Protection Impact Assessment?
Do I need to conduct a DPIA?
When is Data Protection Impact Assessment mandatory?
DPIA should be carried out necessarily when the project of the organization involves new technologies, in particular the Internet of Things and AI, sensitive data handling and automated processing, and video surveillance of public places. It also depends on the nature and scope of the project. CookieScript CMP can help you handle user consent and comply with the GDPR.
How to Conduct a Data Protection Impact Assessment?
DPIA does not have a uniform format to follow, but it is recommended to perform the following steps: identify the need for a DPIA, describe the data processing, consider consultation, assess necessity and proportionality, identify risk and risk mitigation measures, document outcomes of DPIA, and review and update it regularly. CookieScript CMP can help you handle user consent and comply with the GDPR.
Is a DPIA a legal requirement?
DPIAs are a legal requirement for processing data in processes when is likely to be high risk. It’s not mandatory for all organizations. However, it should help you to identify and evaluate the potential risks associated with processing personal data and mitigate these risks at the early stages. CookieScript CMP can help you handle user consent and comply with privacy laws.
What is the difference between GDPR and DPIA?
How do I get a DPIA?