What Is a Data Protection Impact Assessment (DPIA)?
Collecting, storing, sharing, selling, or otherwise transferring personal information is both a fundamental business activity in today’s economy and a massive responsibility for organizations to assume. And while these aims aren’t directly opposite, businesses need to balance them proportionally by considering the importance and benefits of their data processing activities alongside the risks and protections in place.
That’s where data protection impact assessment (DPIA) comes in. A DPIA can help you assess a data processing activity, identify any privacy risks, and manage them before starting. It’s a crucial preparatory step for businesses involved in data processing and who value their customers’ or partners’ personal information (and the reputation and consumer trust earned by safeguarding it).
What is a DPIA, who is responsible for performing it, and under what circumstances? Let’s dive in and answer these questions.
What Is the Purpose of a Privacy Assessment?
Overarchingly, the goal of a data protection impact assessment (DPIA) or any other kind of privacy impact assessment (PIA) is to understand the requirements, tradeoffs and potential harms of processing personal data.
For example, the Colorado Attorney General defines a “data protection assessment” succinctly as a “genuine, thoughtful analysis that: 1) identifies and describes all risks posed by Processing that presents a heightened risk of harm to a Consumer, 2) documents measures considered and taken to address and offset those risks…; 3) contemplates the benefits of the Processing; and 4) demonstrates that the benefits of the Processing outweigh the risks offset by safeguards in place.”
What Is a DPIA?
A Data Protection Impact Assessment (DPIA) is a privacy risk assessment that is specifically required under the European Union’s and the United Kingdom’s General Data Protection Regulations. The assessment helps you identify your business’s alignment to the GDPR’s privacy principles and compliance requirements. This is done by weighing the business needs against the rights, freedoms and reasonable expectations of individuals, then taking action to mitigate or remedy each data protection risk that is identified. A DPIA requires an organization to ask itself:
- What types of personal data are we handling?
- Is this data inherently sensitive or otherwise specially protected?
- Why is personal data or sensitive personal data needed?
- How is this data obtained?
- Would the data be transferred or shared outside the organization?
- Could the privacy rights and reasonable expectations of individuals be met?
- Is any of this lawful, fair, transparent and proportional?
- What issues, gaps or levels of risk do we have?
- If not remedied, could these issues lead to privacy harms for individuals?
A DPIA helps organizations be more aware and intentional about the personal data it collects, stores, shares, sells, or otherwise transfers. And, to be proportional with their business practices involving personal data. For example, retaining sensitive personal information for longer than necessary and failing to protect it using state-of-the-art security measures can make an organization an attractive target for theft. The organization is vulnerable to data breaches that in turn can lead to significant privacy harms like identity theft.
Examples of sensitive personal information include:
- Government issued identification
- Political opinions or affiliations
- Racial or ethnic origins
- Religious or philosophical beliefs
- Children’s data
- Health and ailment data
- Uniquely identifiable biometric and genetic data
- Criminal conviction data
Sensitive personal information can also include:
- Financial account numbers with access codes
- Immigration and naturalization information
- Email and phone communication contents
- Health fitness information that can predict health conditions
What information is sensitive and should be especially protected is as much a question of what is specifically defined under law, and also the context of what the data is, how it is used and by whom. This context extends to the nature of your business and the specific laws and regulations you must comply with.
Granted, not all data privacy risks can be completely eliminated. Nor are risks, impacts and privacy harms solely about the sensitivity of the data being processed. Sensitivity is one of a number of risk / harm factors that should be considered.
Remember, a DPIA is primarily about why people’s data is processed, how, and what can go wrong if it is mishandled, misused or abused. When conducting DPIAs you should always keep in mind the effects on the privacy rights, freedoms, and evolving privacy expectations of data subjects.
Who Is Responsible for DPIA?
In short, any organization processing Europeans’ personal data is responsible for conducting privacy reviews. The obligation to be a good privacy and data protection citizen applies to businesses, their partners and service providers.
Those who have done business in the EU or the UK are likely already familiar with Article 35 of the General Data Protection Regulation (GDPR), which outlines a broad range of operational requirements that include DPIAs. And, the pan-European guidance by the European Data Protection Board and further guidance from influential national data protection authorities such as the Irish DPC, CNIL France, and UK ICO.
When doing business in the EU, a DPIA would be required if:
- A proposed new business process may involve collecting special category personal data, such as political opinions, ethnic origin, uniquely identifying biometric data, and precise location information
- Personal data will be used to evaluate or make certain business decisions that may have legal or similarly significant consequences
- Large-scale monitoring of individuals online or in public areas
- You’re considering handling personal information about children or other vulnerable groups
- You are using new or novel technologies, or the data in new or novel ways (e.g. algorithmic decisioning using AI)
Outside of Europe
Data protection impact assessments are not uniquely European. The United States has a long-standing practice of conducting similar assessments. These can go by different names, like privacy impact assessments (PIAs) or privacy risk assessments (PRA). As an example, the E-Government Act of 2002 includes requirements for federal agencies to conduct PIAs for processes that involve handling personally identifiable information (PII).
For those doing business in the private sector in the United States, you may already perform data privacy risk assessments required in your industry to satisfy certain data collection and use requirements, such as under the Federal:
- Health Insurance Portability and Accountability Act (HIPAA)
- Children’s Online Privacy Protection Act (COPPA)
- Fair Credit Reporting Act (FCRA)
Starting with California, Virginia and Colorado, US states are introducing GDPR-like privacy impact assessments as part of their comprehensive privacy reforms. In 2023, the California CPRA will require “privacy risk assessments”; Virginia’s CDPA and Colorado CPA will require “data protection assessments”.
Even under circumstances when a DPIA isn’t technically required, the steps involved with the process can still help you take the necessary precautions to make your business’s operations more informed, needs-based and accountable for both your benefit and your customers’. Remember, a DPIA-by-any-other-name is a multi-use arrow in your privacy program management quiver.
When Should DPIA Be Carried Out, and What Triggers a DPIA?
As stated above, a DPIA should generally be carried out before any projects, activities, or professional services that would involve collecting, storing, or otherwise handling sensitive personal information. There are other triggers that consider the scope and scale of the activity, whether it will take place across borders, and whether it can lead to significant or unintended consequences if mismanaged.
Under forthcoming state privacy laws, many fine details about what data risk assessment must involve are still pending. As they stand now, the following are a sampling of state requirements and some situations that would trigger some form of personal data risk assessment:
- California Privacy Rights Act (CPRA) – Requires “regular assessments” when the “processing of consumers’ personal information presents significant risk to consumers’ privacy”.
- Such a risk assessment would consider multiple factors and implications “including whether the processing involves sensitive personal information.”
- Going through the process, the business will be “identifying and weighing the benefits resulting from the processing” for all the parties concerned “against the potential risks to the rights of the consumer associated with that processing”.
- As under the GDPR, the end-goal of the assessment would be the “restricting or prohibiting the processing” if privacy risks outweigh the rewards.
- Colorado Privacy Act (CPA) – Data protection assessments must be handled by a controller, who may need to report them to Colorado’s Attorney General when necessary to confirm compliance. They should take place before the processing or sale of personal data or use of targeted data profiles for advertising that could present a “heightened risk of harm,” including financial or physical injury to consumers.
- Virginia Consumer Data Protection Act (VCDPA) – Similar to Colorado’s law, a controller must perform and document a data protection assessment and report information to the Virginia attorney general when necessary to determine compliance. Data protection assessment triggers include:
- Personal data used for targeted advertising
- The sale of personal data
- The automated processing of sensitive personal data
- Data processing activities involving a “heightened risk of harm to consumers”
- Processing personal data for the purpose of profiling, including when that information could cause financial, physical, or reputational harm to the individual.
The DPIA Process
DPIAs by any name are an essential part of an effective privacy management program. The process by which you would conduct a DPIA (or PIA or PRA as the acronym may be) should be agile and flexible to meet your organizational culture, company size, industry sector and product / service development approach. For publicly traded organizations and those in specially regulated sectors, the process may need to be more rigid and inclusive of other kinds of regulatory compliance and risk assessment needs. The point is that privacy is an equal stakeholder in the risk management process and not an afterthought.
DPIA Awareness Checklist
The first step of completing a data privacy impact assessment is understanding your goals. Are you obligated to conduct a DPIA for a particular type of activity under applicable law? Are you looking to go beyond mere compliance by building a best practice, privacy-first culture within your organization? The end-benefit is the same – identifying and mitigating identified gaps, issues and risks to you, your customers and stakeholders.
As you do so, it may be helpful to ask yourself the following questions:
- What personal information does our organization usually handle? Is the product, project or activity we are looking at something familiar?
- Is the collection and use of people’s data, particularly if it is specially regulated or otherwise sensitive, necessary and unavoidable?
- What legal and industry compliance requirements does this subject our organization to?
- Does our staff have the necessary training to undergo a DPIA?
- Have we planned and documented the steps of our DPIA process?
- Do we have executive support and the resources we need to move forward? (A DPIA can be a time- and resource- consumer process.)
These kinds of questions should ideally be settled at the organizational level, and before a project is initiated.
DPIA Process Checklist
Generally, the DPIA process by any other name involves the following actions:
- Assess what personal information – mundane vs sensitive – is being collected and why—as well as the ethical implications of doing so.
- Assess the nature and benefits of the processing activity.
- Identify how data may change or change hands, including if it will be shared outside your organizations.
- Identify whether you can ensure fair play through organizational, contractual and technical controls, including through appropriate security safeguards.
- Take steps to mitigate discovered risks and correct operational deficiencies.
- Determine whether and when to revisit the assessment, such as when there is a material change in the activity.
- Periodically reassess the effectiveness of your DPIA/PIA/PRA process.
The overarching goal of a DPIA is to understand the facts, benefits, trade-offs and risks of utilizing people’s data.
For example, when describing the goals and standards for privacy risk assessments under Colorado’s Privacy Act (effective July 1, 2023), the Colorado Attorney General’s Office contemplates an organizational effort that is “…a genuine, thoughtful analysis that: 1) identifies and describes all risks posed by Processing that presents a heightened risk of harm to a Consumer; 2) documents measures considered and taken to address and offset those risks, including those duties required [of Data Controllers]; 3) contemplates the benefits of the Processing; and 4) demonstrates that the benefits of the Processing outweigh the risks offset by safeguards in place.”
Not surprisingly, this is consistent with the principles and expectations for Data Protection Impact Assessments under Article 35 of the GDPR. When it comes to addressing harms from the misuse or abuse of personal data, it is truly a case of ‘same shores, similar boats’.
The Impact of Not Conducting a DPIA
DPIAs are important because they help your organization identify potential data privacy risks and implement proper protections before personal information is collected, used or shared.
Taking steps to complete a DPIA will also involve establishing procedures for conducting such assessments cross-functionally, and agilely as circumstances and organizational structures change.
Additionally, completing a DPIA shows others you’re serious about protecting individuals’ privacy and using information about them responsibly. Irrespective of the specific privacy and consumer protection laws your business is subject to, timely and genuine privacy risk assessments which can build trust internally and among your clients and customers.
Protect Customers’ Personal Data with DataGrail
Your users’ data matters—and DataGrail can help you use it knowingly, transparently and in line with individuals’ growing privacy expectations .
DataGrail’s integrated data privacy solution can help with that. Our data privacy platform creates a centralized location from which you can manage the core pillars of your privacy program. Notably, with DataGrail, you can automate privacy requests with Request Manager and gain visibility and control over personal data with the Live Data Map.
Ready to take your privacy program to the next level? Request a demo of the DataGrail platform.
BCLP Law. Comparing the Data Protection Assessment Requirements Across the Next Generation of U.S. State Privacy Laws. https://www.bclplaw.com/en-US/insights/comparing-the-data-protection-assessment-requirements-across-the-next-generation-of-us-state-privacy-laws.htmlColorado Attorney General’s Office. Data Security Best Practices. https://coag.gov/app/uploads/2022/01/Data-Security-Best-Practices.pdf
Colorado General Assembly. Colorado Privacy Act. https://leg.colorado.gov/…/2021a_190_signed.pdf
GDPR.eu. Data Protection Impact Assessment. https://gdpr.eu/data-protection-impact-assessment-template/
Information Commissioner’s Office. What is a DPIA? https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/what-is-a-dpia/
State of California Department of Justice. The California Privacy Rights Act of 2020. https://oag.ca.gov/…/19-0021A1%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf
The United States Department of Justice. E-Government Act of 2002. https://www.justice.gov/opcl/e-government-act-2002
Simmons and Simmons. Data Protection Impact Assessment: the French DPA publishes list of processing operations. https://www.simmons-simmons.com/…/271118-french-data-protection-impact-assessment>
Virginia’s Legislative Information System. Consumer Data Protection Act. https://lis.virginia.gov/cgi-bin/legp604.exe?212+ful+CHAP0035+pdf