The importance of protecting sensitive data cannot be understated. Several U.S. standards and regulations, not to mention different good practice guidelines, emphasize the importance of data protection. Savvy IT organizations must have data protection policies and procedures to ensure all data -- whether at rest or in motion -- is protected from unauthorized cyberthreat activity.
The EU's GDPR has a specific provision to ensure personally identifiable information (PII) and other sensitive data -- especially data with specific privacy requirements -- goes through a data protection impact assessment, or DPIA, before any processing activities are performed on it.
GDPR regulations, which officially launched in May 2018, protect users from having their data collected and abused without their knowledge or consent. GDPR protects PII because of the potential for infringement on an individual's private life -- and even causing harm -- when combined with other data.
Organizations in the U.S. with operations in EU member nations or with U.S.-based websites accessed by people in EU member nations must be prepared to perform DPIAs to be compliant with GDPR requirements.
Data protection impact assessments help organizations understand the risks related to processed data, especially sensitive data. A DPIA identifies potential risks associated with processing PII, assesses the need for processing PII and supports the overall risk management process. DPIAs are also suitable evidence for auditors that the organization processing PII is compliant with GDPR.
Elements of a DPIA
GDPR Article 35 specifies the requirement to perform a DPIA but provides no guidance on how to conduct one. As such, many different interpretations on planning and conducting DPIAs have been developed by EU member nations, as well as independent vendors and consultancy firms.
EU member nations are required to have an organization in place to administer and coordinate GDPR regulations within their borders. In the U.K., for example, the Information Commissioner's Office (ICO) coordinates all GDPR compliance activities and serves as an important resource for organizations outside the U.K. and for other EU members. Organizations in the U.S. that have an EU connection are advised to contact the relevant coordinating agency in the nation(s) that may be affected.
A DPIA is required in situations where:
- a comprehensive analysis is desired of data associated with individuals that is based on automated processing -- for example, profiling -- that results in legal decisions and/or actions concerning the individual(s);
- processing of data is desired in special categories or relating to criminal offenses;
- a large-scale geographic area is examined for publicly accessible data;
- examination of data involving children, genetic data or biometric data is desired; or
- additional processing requirements are identified that need consultation with a supervisory authority that may publicize a list of processing operations requiring a DPIA.
DPIAs must include the following:
- a detailed system-based description of the proposed processing activities along with the purpose of such processing;
- an analysis of the need and materiality of the proposed processing as aligned with the stated purpose(s);
- an examination of the risks to and effects of the proposed processing on the rights and freedoms of data subjects;
- detailed actions for the proposed processing that demonstrate compliance with GDPR Article 35, acknowledging the rights and appropriate interests of data subjects; and
- evidence of consultation with the organization's data privacy/protection officer (DPO).
Additional considerations include the following:
- The EU member's GDPR coordinating agency may expand DPIA requirements, such as scalability, auditability and verification, and may also specify actions to be taken by subject matter experts.
- The coordinating agency may specify standards and procedures for performing, verifying and auditing the DPIA.
- If a change in risk is identified by the processing entity, the entity's controller may confirm that the processing of personal data is still performed in compliance with the DPIA.
- When assessing the level of risk associated with the proposed processing, consider both the likelihood and severity of any effects on individuals and PII.
- Identifying a high-risk situation that cannot be suitably mitigated may necessitate contacting the coordinating agency -- for example, the U.K. ICO -- in the relevant EU nation(s) before processing commences.
Data protection impact assessment templates
Preparing a DPIA may seem like a daunting task. Use these two templates to determine 1) if there is a bona fide reason to prepare a DPIA and, if so, 2) the information that needs to be gathered for the DPIA.
Note, these templates are based on guidance provided in GDPR Article 35 and are adapted from content and guidance developed by the ICO.
Conducting a data protection impact analysis
Companies should organize and conduct a DPIA before commencing any data processing activities. It is best to perform the DPIA during the planning stages of the proposed processing. A key player for DPIA consultation is the DPO, along with other relevant stakeholders.
Next, use a template -- such as the ones associated with this article -- to help guide you through the process of determining whether the proposed data processing activity requires a DPIA. The template will ask questions to help organizations understand the scope of the data processing and determine what is needed to protect the data in the course of actual processing.
The following steps are recommended when performing a DPIA:
- Identify the need for a DPIA. Ensure the need for processing PII is necessary and can be justified.
- Describe the proposed data processing. Explain the processing in technical terms, for example, the system(s), application(s) and data repository to be used, as well as security measures to ensure data privacy.
- Identify consultation to be secured. Indicate internal and external subject matter experts whose advice will be needed as part of the planning and execution of the processing.
- Assess the necessity and materiality of the processing. Determine the relevance of the proposed processing and the aims and objectives to be achieved.
- Identify and assess processing risks. Identify technology, operational, human-based and other risks that could affect successful processing.
- Identify mitigation activities to address the identified risk. Once risks have been identified, assess remedies to mitigate or eliminate the risks.
- Obtain approvals. Secure necessary approvals from IT management, including the DPO.
The templates in this article will help facilitate the information-gathering needed to complete a DPIA. They can also be used by auditors to examine the data, the DPIA and, in turn, the proposed processing. Completion of a DPIA, as noted earlier, is also an important benchmark for compliance with GDPR.
Organizations that fail to comply with GDPR requirements risk severe penalties, including fines of up to 20 million euros or 4% of annual revenue, whichever is higher. Such penalties for not performing a DPIA are likely to be assessed by the EU nation's GDPR coordinating agency.