The data privacy safeguards listed in regulatory frameworks like the EU General Data Protection Regulation (GDPR) and California Consumer Privacy Rights Act (CPRA) are crucial to protecting the privacy rights and freedoms of individuals.
Comprehensive, auditable privacy risk assessments like the GDPR Article 35 Data Protection Impact Assessment (DPIA), the CPRA §1798.185(15)(B) Privacy Risk Assessment, or a generic Privacy Impact Assessment are a foundational part of any privacy management program. They are essential tools that help you systematically analyze, identify and minimize privacy risks of a product, project or activity involving personal data.
Below, we’ll cover how organizations subject to the GDPR and the CCPA/CPRA comply with these regulations and manage data privacy risks using privacy risk assessments.
What is the goal of any privacy risk assessment?
The universal goal of any privacy risk assessment is to understand the requirements, tradeoffs and potential harms of processing personal data.
So, how does a DPIA-by-any-other-name ‘work’ within the context of the GDPR, the CCPA/CPRA and elsewhere?
“Data Protection Impact Assessments” Under the GDPR
GDPR Article 35(1) says that a DPIA is necessary where a type of processing is likely to result in a high risk to the rights and freedoms of individuals. It is about reasonable certainty. The European Data Protection Board, UK Information Commissioner, CNIL France and other European data protection authorities provide nonexhaustive criteria that include:
- New-to-you activity. If you want to work with a new SaaS vendor, launch a new product, expand into a new market, or significantly change an existing business process involving personal data, you will want to assess likely privacy risks.
- Sensitive personal data. If you will use data that is defined as sensitive by law (i.e. GDPR “special category” data, CPRA “sensitive personal information” there is an objectively higher risk to be dialed in.
- Novel technologies. Bleeding edge technologies like AI are not well regulated and likely to lead to unintended or heightened impacts.
- Systemic monitoring & profiling. Activities that rely on large-scale, persistent monitoring of individuals are inherently privacy-intrusive and should be evaluated.
- Scoring & evaluation. Where individuals are being evaluated in a way that can seriously affect their legal rights, or personal or professional lives.
Beyond the above examples, a DPIA can be used to assess any data processing activity. This is because any personal data – regular or sensitive – can be used unlawfully, opaquely, unfairly, excessively, carelessly and with disregard for the right, reasonable expectations, and choices of individuals.
What a GDPR DPIA includes
At a minimum, a DPIA captures:
- Descriptions of the data processing activities being assessed
- An evaluation of the “necessity and proportionality” of the processes vs. their purpose
- An assessment of the potential risks to the data subject’s rights and freedoms
- A detailed privacy risk mitigation plan, including proposed compliance safeguards
In some cases you will need to consult with your data protection authority, your outside counsel, and last but not least your appointed Data Protection Officer (DPO). External expertise will help streamline your compliance processes and advise on the best course of action when conducting a GDPR DPIA.
Remember, a DPIA is a tool and a process. It should be right-sized to your organization, particularly when it adopts new technologies or ventures into new markets.
“Privacy Risk Assessments” Under the CPRA
The CPRA’s concept of a “privacy risk assessment” is analogous to the one in the GDPR. California businesses are expected to conduct regular privacy assessments that:
- Consider whether they process sensitive personal data.
- Evaluate the benefits vs. risks of processing personal data for the business, its consumers, the public, and other stakeholders.
- Avoid processing activities if they place significant potential risks on data privacy, outweighing its overall benefits.
The CPRA’s provisions are effective in 2023.
However, per the Notice of Proposed Rulemaking published by the California Privacy Protection Agency, the specific standards and expectations related to privacy risk assessments, cybersecurity audits, and automated decision-making will be forthcoming as part of a subsequent rulemaking process.
Nevertheless, the overarching principles, themes and outcomes of CPRA Privacy Risk Assessments echo well-tread GDPR DPIA ground, and so the same assessment methods and processes would apply. The nuances, as always, will lie in certain definitional and focal differences. (For example, California takes special note of data “sales”; Europe takes special note of international data transfers.)
Manage Privacy Risks with Datagrail’s Platform
Privacy risks are best managed with a comprehensive understanding of your data processing footprint – the data, its uses and the systems that support your business needs.
When it comes to simplifying and automating your CCPA/CPRA and GDPR compliance, DataGrail’s data privacy platform can help. We take the pain out of privacy risk assessments, for the GDPR, the CRPA and beyond.
Interested in a privacy solution that scales? Check out DataGrail’s data privacy platform.
California Privacy Protection Agency. Notice of Proposed Rulemaking. https://cppa.ca.gov/regulations/pdf/20220708_npr.pdf
California Legislative Information. California Consumer Privacy Act (CCPA). https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
California Legislative Information. California Consumer Privacy Act (CCPA) Civil Code 1798.185. https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.185
EU GDPR. Art. 35 GDPR Data Protection Impact Assessment. https://gdpr.eu/article-35-impact-assessment/
EU GDPR. Everything You Need to Know About the GPDR Data Protection Officer (DPO). https://gdpr.eu/data-protection-officer/
EU GDPR. What is GDPR, the EU’s New Data Protection Law? https://gdpr.eu/what-is-gdpr/