Step Six Operationalize Impact Assessments
Some of the potential harm a DPIA seeks to uncover and address include:
- Identifiability and linkability: Individuals and their browsers or devices can be singled out if their data privacy isn’t maintained. While some data may not be enough on its own to identify an individual, different pieces can be linked together to do so, like someone’s name, email, and account number.
- Secondary uses and disclosure to third parties: If personal data is used for secondary purposes outside of the reasons for initial collection, it may result in undesirable outcomes or risks to individuals (e.g, a household receiving promotions for infant clothing when a household member has intentionally not informed the others of their pregnancy).
- Unawareness: If employees are unaware of the responsibilities they have toward personal data, they may commit privacy violations unknowingly. Regardless of intention, associated penalties and additional ramifications, like loss of consumer confidence, will still apply.
Again, context
Generally, a DPIA/PIA is a formalized process evaluating the potential risks and impact of a product, project, or activity on individuals’ personal data and privacy rights. It’s a tool that allows you to boldly ask:
- What types of personal data are we handling?
- Is this data inherently sensitive or otherwise specially protected?
- Why is personal data or sensitive personal data needed?
- How is this data obtained?
- Would the data be transferred or shared outside the organization?
- Could the privacy rights and reasonable expectations of individuals be met?
- Is any of this lawful, fair, transparent, and proportional?
- What issues, gaps, or levels of risk do we have?
- If not remedied, could these issues lead to privacy harm for individuals?
GDPR Article 35(1) says that a DPIA is necessary where a type of processing is likely to result in a high risk to the rights and freedoms of individuals. It’s about reasonable certainty. The European Data Protection Board, UK Information Commissioner, CNIL France, and other European data protection authorities provide non-exhaustive criteria including:
- New-to-you activity: If you want to work with a new SaaS vendor, launch a new product, enter a new market, or significantly change an existing business process involving personal data, you’ll want to assess likely privacy risks.
- Sensitive personal data: If you’ll use data defined as sensitive by law (i.e. GDPR “special category” data, CPRA “sensitive personal information”) there’s an objectively higher risk to be dialed in.
- Novel technologies: Bleeding-edge technologies like AI aren’t well-regulated and they’re likely to lead to unintended or heightened impacts.
- Systemic monitoring & profiling: Activities relying on persistent, large-scale monitoring of individuals are inherently privacy-intrusive and should be evaluated.
- Scoring & evaluation: Where individuals are being evaluated in ways that can seriously impact their legal rights or personal or professional lives.
Beyond the above examples, DPIAs can assess any data processing activity. This is because any personal data — regular or sensitive — can be used unlawfully, opaquely, unfairly, excessively, carelessly, and with disregard for the right, reasonable expectations, and choices of individuals.
At a minimum, a DPIA captures:
- Descriptions of the data processing activities being assessed
- An evaluation of the “necessity and proportionality” of the processes vs. their purpose
- An assessment of the potential risks to the data subject’s rights and freedoms
- A detailed privacy risk mitigation plan, including proposed compliance safeguards
Bottom Line:
A DPIA by any name is a genuine, thoughtful analysis of the facts, benefits, trade-offs, and risks of leveraging personal data. It’s the actionable extension of your data mapping work and one of the essential vehicles for privacy programs to help organizations reduce privacy risks.
Risk Monitor in DataGrail helps you outsmart risk through auto-populating data protection impact assessments (DPIAs).
In DataGrail, choose Risk Monitor at the top of your screen to get started.
If you’d like referrals to trusted law firms and risk management specialists who can complement a productized strategy, reach out for a demo.
Connect with other pros (free) for DPIA and PIA pro tips. Join the Privacy Basecamp Community.