GDPR Data Protection Impact Assessment (DPIA) Software for Compliance Automation
The Clarip enterprise privacy software offers DPIA automation for businesses and privacy professionals conducting a Data Protection Impact Assessment or Privacy Impact Assessment (PIA). If your organization is using a manual DPIA/PIA process through questionnaires, interviews, email and Word/Excel/Google Docs, ask for a demo of the Clarip DPIA software!
Call 1-888-252-5653 to schedule a demo of the Clarip Data Protection Impact Assessment software and other privacy modules for data mapping, consent management, the California Consumer Privacy Act and more compliance automation.
Article 35 of the European Union General Data Protection Regulation (GDPR) creates an obligation for businesses to conduct a DPIA to assess the impact of certain new technology or business processes. Records around the conduct of a DPIA are then kept as part of the Article 30 Records of Processing Activities (ROPA) requirement. Although the contours of when a DPIA should be conducted are defined by the law, the UK DPA ICO guidance has suggested that a privacy impact assessment can be helpful even when it is not strictly required by the EU Privacy law. Additionally, in cases where the decision is made to decline to conduct a DPIA, there still should be a record of what was considered during this decision process and the final outcome of it.
The result of this process is that DPIA software can be extraordinarily helpful in the GDPR compliance process. It can assist in the development and distribution of surveys, make responding easier, send reminders, track followups, record decisions, and maintain a record of resulting modifications to ensure any subsequent regulator questions can be addressed.
GDPR Article 35
Article 35 of the GDPR creates an obligation to conduct an assessment of the impact of a new technology or business process on the protection of personal data before implementing it when it is likely to result in high risk to the rights and freedoms of natural persons.
Subsequently, the Article 29 Data Protection Working Party issued guidelines on determining what should be considered likely to result in a high risk. Factors that should be considered includes where profiling is happening, automated decision-making with a legal or other significant effect, systematic monitoring in circumstances an individual may be unaware data is collected, sensitive data such as personal political opinions or criminal convictions, large scale data processing, the combination or matching of data sets, data concerning vulnerable subjects such as employees, children and the elderly.
DPIAs are a way to identify and minimize data protection risks when starting a new project. While they are required in some instances, they are generally considered a useful tool when used beyond those situations where they are expressly required.
They are also used at the start of implementing a GDPR compliance program to assess the current level of data privacy and protection. If the organization has already considered and documented the relevant risks and safeguards for privacy through a PIA, it may not need to be redone. The ICO has said that it does not expect a new DPIA for established processing where the organization has already considered the risks and safeguards to data privacy and protection. It does not matter if this was part of a PIA or another formal or informal risk assessment process. The one situation where a DPIA would need to be performed is if there has been a “significant change” in the nature, scope or context/purpose since the previous risk assessment. In addition to identifying and fixing problems, DPIAs are used to demonstrate compliance with GDPR obligations and become an important component of the necessary documentation under Article 30.
The DPIA Requirement
Many organizations already carry out Privacy Impact Assessments (PIAs) as part of following best practices in privacy. The GDPR creates a new obligation to conduct a DPIA when the processing is likely to result in a high risk to individual’s interests.
The DPIA broadly considers the risks to the rights and freedoms of an individual. The focus is on the potential harm to individuals and society at large. It considers both the likelihood and severity of the impact on individuals. If a DPIA does not eradicate the risks identified, it should help minimize them and assess whether the remaining risks are justified. If a DPIA results in a conclusion that there is a high risk to individual’s interests that cannot be mitigated, the draft ICO guidance says that the organization must consult the ICO about it before you start processing.
Organizations that already conduct PIAs should make sure that they have reviewed their screening questions to ensure that they complete DPIAs at the appropriate time, that they have included the specific requirements for DPIA content, they are bringing their DPO or outsourced DPO into the DPIA process, and they are considering the impact on an individual’s rights and freedoms as part of the process.
DPIAs may be conducted jointly by a group of controllers and cover either a single processing operation or a group of similar operations.
When is a DPIA Required?
The GDPR requires a DPIA for:
– use of systematic and extensive profiling with significant effects;
– process special category or criminal offence data on a large scale; or
– systematically monitor publicly accessible places on a large scale.
The UK ICO draft guidance includes other requirements for a DPIA, including:
– use of new technologies;
– use profiling or other special category data to offer access to services;
– large scale profiling;
– processing biometric or genetic data;
– matching of data or data sets from more than one source;
– invisible processing, i.e. collecting personal data from third-parties without disclosure to the individual;
– tracking location or behavior;
– children’s profiling, marketing or online services; or
– processing data that might endanger health or safety as a result of a security breach.
The ICO also recommends that a DPIA should be done for any major new product involving the processing of personal data even if there is no specific indication of high risk.
Risks for Consideration
Recital 75 speaks to the concept of the risk to the rights and freedoms of natural persons that should be considered. The risks include both actual harm as well as the possibility of intangible harm. These risk include the potential for:
– identity theft
– financial loss
– damage to reputation
– loss of confidentiality
– any other significant economic or social disadvantage
– loss of control over their personal data
The Importance of Conducting DPIAs
The ICO draft guidance on data protection impact assessments notes a few different benefits of conducting a DPIA.
A DPIA is a legal requirement for certain types of processing that can carry with it large fines. By conducting DPIAs, the organization also builds some of the documentation needed to meet its Article 30 recordkeeping requirements.
DPIAs can be used to build trust and engagement with the people using an organization’s services.
DPIAs can also save money for an organization by identifying problems early that can be solved with a simple and less costly solution than if it was implemented later.
The DPIA Process
Here is a diagram from the ICO highlighting the steps of the DPIA process:
There are a few exceptions to the requirement for conducting a DPIA:
– Processing on the basis of legal obligation or public task if the specific conditions for the exception are met.
– There is a substantially similar DPIA where the nature, scope, context and purposes of processing are all similar.
– The processing is on a list of processing operations approved by the Supervisory Authority without a DPIA.
California’s New Privacy Law: Get your business ready for the California Consumer Privacy Act with Clarip. January 1, 2020, will be here soon and now is the time to start planning.