Data Protection Impact Assessment (DPIA)

Key Points

• Data Protection Impact Assessment helps to identify and mitigate risks associated with processing people’s data. 
• It is mandatory to conduct DPIA as stated in article 35 of GDPR guidelines.
• Conducting DPIA helps to demonstrate that your cloud-hosted company follows best practices to the relevant authorities.

Introduction

Data Protection Impact Assessment (DPIA) is a part of the EU’s General Data Protection Regulation (GDPR). 

For the uninitiated, GDPR is the EU’s new law formed to unify all data protection laws across the European Union. 

According to the GDPR Certification, performing DPIA is now mandatory for any cloud-hosted company that launches a new project that involves the processing of the personal data of customers. 

Conducting DPIA is one of the best ways to demonstrate your compliance with GDPR to the relevant authorities if your company processes any type of customer personal data 

That said, if you’re not sure what is involved in a DPIA process or how to conduct GDPR data protection impact assessment, you’ve come to the right place. 

This article will explain everything you need to know about DPIA, and the 5-step process you need to follow to conduct DPIA for your cloud-hosted company. 

What is Data Protection Impact Assessment?

DPIA is a process created to identify any kind of risks that may arise while collecting, storing, using, or processing personal data. The primary intent of DPIA is to discover, study, and minimize data protection risks found in the new project launched by your cloud-hosted company.

Conducting data protection impact assessments has become compulsory in various situations. For instance, conducting DPIA is mandatory if your company is planning to execute profiling activities using personal data.

There are many other instances where conducting a DPIA is mandatory, and we shall discuss them soon enough. For now, let’s talk a little more about impact assessment data protection under GDPR in detail.

GDPR Data Protection Impact Assessment

Data Protection Impact Assessment is a new mandate of GDPR. It is now an official part of the “data protection by design” principle as updated in article 35 of GDPR. 

According to the new law, if your cloud-hosted company is processing any type of personal data that could result in high risks to the freedom and rights of the average person, you must carry out a data protection impact assessment before processing your customers’ data.

Here are some examples of situations where conducting DPIA becomes mandatory for your cloud-hosted company:

• When using new technologies
• When tracking users’ behavior or location
• When monitoring a publicly accessible place extensively 
• When processing children’s data
• When processing personal data related to ethnic origin, political opinions, religious & philosophical beliefs, genetic data, biometric data, and data concerning the health or sexual orientation of a person
• When processing personal data to make automated decisions about customers that can ultimately have legal consequences

That said, even if your company’s new project does not meet high-risk standards, we still recommend performing DPIA for two reasons. 

1) Conducting DPIA will help you discover and eliminate any data protection-related liabilities. 

2) It will showcase that your company follows the best practices  in the industry to protect personal data. This will help you win your customers’ trust & demonstrate it to concerned authorities. 

Now, if you’re not sure how to go about performing a data protection impact assessment, we’ve already got you covered. 

Below, we’ve shared a 5-step process you can follow to conduct a impact assessment data protection for your cloud-hosted company’s new project.

Data Protection Impact Assessment Guidelines

While there is no prescribed process to perform data protection impact assessment, the Article 35 of GDPR does outline the following four minimum features requirements:

• A description of envisaged processing operations & their purpose
• An explanation of the necessity & proportionality of processing
• An assessment of the risks regarding the rights & freedoms of individuals
• The system was established to address the risks & demonstrate compliance with GDPR

This broad and generic nature of the DPIA framework gives you complete flexibility and scalability to design a DPIA that perfectly matches your cloud-hosted company’s needs.

That said, the following are the steps you need to take for conducting a thorough impact assessment data protection.

Step 1 – When Might a Data Protection Impact Assessment Be Used

Before designing the data protection impact assessment process, you need to first verify if conducting DPIA is necessary or not. 

To determine if DPIA is required, all you need to do is check the below aspects of your cloud-hosted company’s new project: 

• Nature – What do you plan to do with your customers’ data
• Scope – Which personal data will be processed
• Context – Internal and/or external factors that might affect expectations
• Purpose – Why does your new project need to process your customers’ data

Step 2 – Determine Who Shall be Involved

There are various personnel that must be involved in a data protection impact assessment. 

For starters, you must appoint a dedicated person in charge who will monitor and ensure the successful development of your new project.

Secondly, there must also be a Data Protection Officer (DPO) who needs to be involved in conducting DPIA. 

And in case you’re utilizing GDPR data processors such as a legal person, agency, public authority, or any such body that processes personal data, you must ask them to provide necessary relevant information and assistance. 

Lastly, you should also consider seeking external counsel from privacy experts like lawyers, security analysts, and security professionals. 

Step 3 – Evaluate Your Data Protection and Related Risks

Start by creating a list of all your assets and inspect them for any vulnerabilities. 

For instance, if you store your customers’ data on a server, look for any risks associated with it such as potential vulnerabilities, cyberattacks, hardware failures, etc.

To discover all associated risks, perform a risk analysis considering the following criteria:

• Personal data whose exposure or loss can affect operations
• Processes that use those personal data
• Possible threats that are likely to damage your company’s ability to function properly
• The probability and severity of all discovered threats

Step 4 – Develop & Determine Data Protection Processes and Tools

The next step is to develop appropriate data protection processes and determine the tools for executing relevant risk mitigation measures. 

In addition to that, you must document all discovered risks with their specific solutions to mitigate those risks with a detailed process.

Step 5 – Create a Final DPIA Report

Although it is not legally required to produce DPIA reports, it is considered a best practice to produce and publish DPIA reports either in full or in parts. 

A DPIA report helps to establish trust among your prospects. More importantly, it helps in demonstrating accountability & transparency to the relevant authorities as well as stakeholders.

That said, if you are creating a DPIA report for the first time, be sure to mention & highlight the four minimum requirements we shared earlier. We’ve listed them here again 🙂

• A comprehensive explanation of your new project & its purpose
• Assessment of scope and the need for processing personal data
• Evaluation of personal data protection and privacy-related risks
• Clarification of how you will mitigate the discovered risks to comply with the GDPR

Lastly, be sure to take the approval of all parties involved including the Data Protection Officer, stakeholders, board members, and members of the top management team. 

Conclusion

Data Protection Impact Assessment is an extremely complicated and (sometimes) confusing process. But it is mandatory if your cloud-hosted company processes your customers’ personal data.

Sprinto, an automated compliance platform, can help you demonstrate your GDPR compliance by conducting DPIA for your cloud-hosted company.

Our platform can automate the entire DPIA process for your company, saving your precious time and effort. Learn more about how exactly Sprinto can help with your Data Protection Impact Assessment through our demo.

FAQ: (DPIA) Data Protection Impact Assessment

What is a data protection impact assessment in GDPR?

DPIA is a type of risk assessment under the GDPR. It helps to discover and mitigate risks related to personal data processing activities. For example, if processing the personal data of your customers who visit your website is likely to result in a high risk, you need to conduct a DPIA.

Is conducting DPIA mandatory?

Yes, according to Article 35 of GDPR guidelines, conducting a DPIA is mandatory whenever you run business operations that increase the risk of personal data of individuals. 

When data protection impact assessment should be performed?

You should perform impact assessment data protection from the beginning of any new project as well as during the planning and development stages. 

Who should conduct a DPIA?

DPIA should be conducted by the appointed person heading the new project along with Data Protection Officer (DPO) if your cloud-hosted company has one. 

Do I need a data protection impact assessment?

The primary intent of DPIA is to discover, study, and minimize data protection risks in the new project launched by your cloud-hosted company. Conducting data protection impact assessments has become compulsory in various situations. For instance, DPIA is mandatory if your company plans to execute profiling activities using personal data.