Risk Management with a Data Protection Impact Assessment (DPIA)

Any organization that handles personal data, whether for clients, customers, or other stakeholders, must protect it and use it responsibly to mitigate harms ranging from statutory noncompliance to damage from a personal data breach.

Of the safeguards available in today’s high-risk digital environment, privacy risk assessments by any name are a tried and true arrow in every privacy professional’s quiver. 

When it comes to personal data subject to the European Union (EU) General Data Protection Regulation (GDPR) or the California Consumer Privacy / Privacy Rights Act, your organization may be required to conduct such assessments. However, even if you are not strictly obligated to undertake privacy risk assessments by any name, there are benefits to embedding the discipline within your business—as a matter of best and prudent accountability practice.  

Below, we’ll explore what a DPIA is, why you should conduct one, and how best to optimize such assessments.

What Does DPIA Mean?

A Data Protection Impact Assessment (DPIA) is a method that helps organizations subject to the EU GDPR effectively identify and mitigate privacy-compliance and related risks. 

The goal of a DPIA—or any other kind of privacy impact assessment (PIA)—is to understand the requirements, tradeoffs and potential harms related to processing activities involving individuals’ personal data. Potential harms may include:

• Identifiability and linkability – Individuals and their browsers or devices can be singled out if their data privacy isn’t maintained. While some data may not be enough on its own to identify an individual, different pieces can be linked together to do so, such as someone’s name, email, and account number.
• Secondary uses and disclosure to third parties – If personal data is used for secondary purposes outside the reasons for the initial collection, it may result in undesirable outcomes or risks to individuals (e.g., a household receiving promotions for infant clothes when a household member has intentionally not informed the others of their pregnancy).
• Unawareness – If employees are unaware of the responsibilities they have toward personal data, they may commit privacy violations unknowingly. Regardless of intention, associated penalties and additional ramifications (e.g., loss of consumer confidence) will still apply.

DPIAs take place before the processing activity, as it is critical to identify and mitigate privacy risks early on before they develop into high-impact threats (e.g., statutory noncompliance).

DPIA Within the EU GDPR Framework

Within the context of the EU GDPR, DPIAs help streamline data privacy compliance for organizations that handle the personal data of EU residents. If you plan to or currently process personal data, you may be required to conduct a DPIA.

According to the GDPR, a data controller and processor must uphold the privacy rights and freedoms of data subjects when performing any activity. This involves:

• Adhering to the foundational privacy principles and protection obligations enshrined in the GDPR, which extend out into contractual, technical and organizational considerations
• Respecting data subjects’ rights such as to access, correct or delete their personal data
• Ensuring data that is transferred internationally or to a third country data will similarly be protected and respected.

Failure to comply with the above can result in hefty non-compliance violations, as high as €20 million or 4% of global revenue.

If you’re unsure of your current or future data privacy posture per the GDPR requirements, conducting a DPIA risk assessment will help evaluate the potential privacy risks across data processing activities.

When Should a DPIA Be Carried Out?

Per GDPR Article 35, a DPIA should be conducted before implementing data processing technologies or initiating processing activities that pose a “high risk to the rights and freedoms of natural persons.” The risk assessment here will also depend on the “nature, scope, context, and purposes of the processing.”

Let’s break down some categories of data processing that put the personal data of EU residents at risk from misuse or abuses.

Data Processing Activities Requiring DPIAs

Your organization will require a DPIA to ensure the protection of individuals’ privacy and your compliance with the GDPR’s strict regulations if you are processing data: 

• Using new technologies (to your organization or the market in general)
• Obtained via large-scale systematic monitoring of individuals, their locations, interests and behaviors
• To make automated decisions about subjects, with legal or other serious implications
• Belonging to children or other vulnerable groups
• Whose exposure could result in physical, financial or social harm to subjects
• That includes any of the “special categories” identified in Article 9 of the GDPR:
  • Racial and ethnic origin
  • Political opinions and affiliations
  • Religious or philosophical beliefs
  • Genetic or biometric identifiers
  • Health data
  • Sexual orientation or activity

Why You Should Conduct DPIAs Regularly

Although DPIA assessments apply to high risk data processing scenarios such as those described above, it is wise to proactively mitigate data privacy risks by conducting these assessments on any activities whose data protection risk is uncertain. 

Failure to respect data privacy can result in individuals suffering from identity theft, compliance violations and associated penalties, disrupting business continuity, and damage to your reputational standing. Reputational damage should be of particular concern, as a recent study revealed:

• Over 80% of respondents are concerned over companies’ handling and use of their data.
• Roughly 60% of respondents think that companies are actively handling or using their data improperly or without respect for their privacy.
• Roughly 90% of respondents believe that strict, respectful, and transparent data privacy efforts would result in them forming better relationships with companies—and 33% report they would refer companies that do to their network. 

Beyond identifying and managing privacy risks early on, DPIA assessments demonstrate your commitment to a long-term privacy risk mitigation strategy. 

What Does a DPIA Contain?

A DPIA is essentially a structured assessment of the potential risk to data privacy. In the context of the GDPR, a DPIA increases awareness about existing and unknown privacy risks.

Per GDPR Article 35, a DPIA must include:

• A description of processing activities – If you are planning to implement data processing activities, the DPIA risk assessment must describe the purposes thereof and your legitimate interest in conducting these activities.
• A justification of the processing activities –  You must also describe why you need to process data using the activities described and at the corresponding scale. Including necessity and proportionality justification in the GDPR, DPIA ensures the activities used to process personal data align with the purposes outlined by a controller.
• An evaluation of data privacy risks – The DPIA must also identify any potential risk to the rights and freedoms of the data subject, ensuring these are addressed before they can directly impact these individuals.
• A report on risk mitigation safeguards – If you identify any risks to the rights and freedoms of data subjects, you must also outline mechanisms and measures you will use to safeguard data privacy. Compliance with the GDPR data privacy requirements comes into play here as a relevant approach to protecting the interests of data subjects.

The above components serve as a baseline for DPIA assessments. Since every organization has a unique data privacy posture, GDPR DPIA assessments must be optimized to reflect these needs, current or anticipated.

What Goes into a DPIA Process?

A robust, agile process would consist of:

• A cross-functional team of lawyers, engineers, program managers, business and process owners, privacy specialists, and operations leaders – privacy is a team sport.
• A discovery process to capture the facts, goals and reasons behind the product, project or activity being assessed – privacy is subjective and context matters.
• A principle-based analysis of the benefits and tradeoffs from the activity – privacy is a balancing act of business needs against privacy expectations.
• A thoughtful assessment of technical or organizational deficiencies and realistic solutions – where your multidisciplinary team can shine.
• The documentation of outcomes and any mitigation decisions – accountability means executive sign off on plans.
• The socialization of decisions to the organization – this builds a privacy culture and operational muscle memory.

Risk Assessments with a DPIA Checklist

To optimize the GDPR DPIA risk assessment and increase its overall effectiveness, you can consider leveraging a DPIA checklist.

The activities on this checklist may include:

• Conducting an inventory of the types of personal information you process
• Evaluating the necessity of data collection events, especially for sensitive data types
• Training and onboarding staff to DPIA processes and procedures
• Identifying other necessary legal and regulatory frameworks to which the data is subject
• Planning out documentation processes for all the DPIA steps

When implemented effectively, a DPIA assessment will significantly reduce the privacy risks to any sensitive data you process.

US Variations of the DPIA

Remember, a formal DPIA is a particular data privacy assessment as stipulated and required by the GDPR. Other privacy laws, including those enacted at the state level in the US may require comparable assessments. For example, California and Colorado state privacy laws will require the following DPIA-like privacy assessments:

• The California Privacy Rights Act (CPRA) requires so-called Privacy Risk Assessments if there are potential high-impact privacy risks to consumers’ personal data. Before starting a project involving such data, organizations must evaluate these risks and compare them to the anticipated benefits.  
• The Colorado Privacy Act (CPA) requires Data Protection Assessments. Per the Colorado Department of Law, their state’s definition of a DPA is “a genuine, thoughtful analysis” of described risks that present a “heightened risk of harm to a Consumer,” describes measures taken to “address and offset those risks, contemplates the tradeoffs of the processing, and demonstrates whether the benefits outweigh the risks if offset by appropriate safeguards.

Beyond California and Colorado, Virginia and Connecticut’s state privacy laws require similar assessments.

Whether data is processed in the EU under the GDPR, in the United States, or in any other geographic region, DPIAs will help you stay on track with privacy safeguards.

Enhance Your Data Privacy Safeguards with Datagrail

If you are looking for a robust tool to manage data privacy risks, then DataGrail can help.  We empower your team to create and manage privacy assessments, as required by GDPR, CCPA/CRPA, and wherever privacy legislation is enacted in the future.

We cut down manual work by auto-populating assessment templates using our deep integrations, saving you and your technical teams from hunting for personal data in your tech stack… or flip through binders of contracts and legalese.

To learn more, check out the DataGrail data privacy platform. 

Sources: 

California Legislative Information. California Privacy Rights Act (CPRA). https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5

Colorado Department of Law. Colorado Privacy Act (CPA) Rulemaking. Proposed draft rules. https://coag.gov/app/uploads/2022/10/CPA_Final-Draft-Rules-9.29.22.pdf 

EU GDPR. Art. 9 GDPR Processing of Special Categories of Personal Data. https://gdpr.eu/article-9-processing-special-categories-of-personal-data-prohibited/ 

EU GDPR. Art. 35 GDPR Data Protection Impact Assessment. https://gdpr.eu/article-35-impact-assessment/

EU GDPR. Data Protection Impact Assessment (DPIA). https://gdpr.eu/data-protection-impact-assessment-template/

EU GDPR. What is GDPR, the EU’s New Data Protection Law? https://gdpr.eu/what-is-gdpr/

VentureBeat. Data privacy truly matters to your customers. It’s time to make it a core business value. https://venturebeat.com/security/data-privacy-truly-matters-to-your-customers-its-time-to-make-it-a-core-business-value/