Data Protection Impact Assessments (DPIAs) When do you need one?

Your organization likely stores and processes large amounts of personal information, including names, addresses, browsing habits, and health information, which comes with a great risk of data breaches, data misuse, and privacy violations. This is even more true nowadays as our reliance on digital services grows.

Because of this, individuals' concerns about privacy and the desire to have more control over their data have inevitably risen in recent years and, unsurprisingly, many countries have brought more rules over how businesses can process personal data and what measures should be taken to protect the information. One such rule is the requirement that organizations conduct a Data Protection Impact Assessment (DPIA), also known as a Privacy Impact Assessment (PIA) for data processing activities that may cause harm to the individual. 

An assessment of risks associated with data collection and processing is a requirement introduced by many countries and states in the US in their data privacy laws, but the way this is done still poses many challenges for covered organizations.

In this article we are discussing what a DPIA is, what some of the most known data privacy laws mandate in regards to it, and how businesses can conduct a data protection risk assessment. 

What is a Data Protection Impact Assessment (DPIA)?

A Data Protection Impact Assessment (DPIA), also known as a Privacy Impact Assessment (PIA), is a tool introduced originally by the GDPR. According to EU’s privacy law, controllers are responsible for conducting and documenting this assessment before initiating any data processing. The assessment systematically evaluates how data is collected, stored, and disposed of and the potential threats posed by the processing of data subjects. It also includes mitigation actions and security controls. Organizations can minimize the impact by identifying potential risks early on and ensuring data protection.

When do I need to conduct a Data Protection Impact Assessment (DPIA)?

The need for a Privacy Impact Assessment (PIA) depends on your location's data privacy regulations. Organizations under GDPR or UK GDPR must conduct a PIA before collecting high-risk data.

Examples of high-risk processes include:

• systematic and extensive profiling, or automated data analysis (this refers to the use of automated systems to analyze large amounts of personal data to predict and evaluate various aspects of someone's behavior and characteristics);
• processing of sensitive categories of data;
• processing of data related to criminal offenses on a large scale; and 
• systematic monitoring of public places.

Data Protection Authorities (DPAs) in member states publish lists of activities that require companies to conduct and document PIAs. For instance, the Information Commissioner's Office requires companies to conduct a PIA when they:

• plan to use innovative technologies; 
• profile individuals on a large scale or profile sensitive information; 
• process biometric or genetic information; 
• match data or combine datasets from multiple sources; 
• collect data from a source other than the individual; 
• track location or behavior; 
• profile data related to minors; and 
• process data that may endanger an individual’s physical safety in case of a breach.

In addition to the GDPR and local legislations of the European member states, the United States data protection laws, such as those in Virginia, Colorado, and Connecticut, also mandate businesses and controllers to conduct risk assessments in certain circumstances.

Data Protection Assessments in the United States

Virginia 

The Virginia Consumer Data Protection Act (VCDPA) requires controllers to conduct and document data protection assessments for the following processing activities involving personal data:

• Processing personal data for targeted advertising;
• Selling personal data;
• Processing personal data for profiling that presents foreseeable risks of unfair treatment, financial, physical, reputational harm, intrusion upon privacy, or other substantial injury to consumers;
• Processing sensitive data;
• Any processing activities involving personal data that pose a heightened risk of harm to consumers.

The Attorney General has the authority to request controllers to disclose data protection assessments relevant to investigations, and controllers must make these assessments available to the Attorney General.

Colorado and Connecticut

The Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA) share similarities in their provisions. Both laws prohibit businesses and controllers from carrying out data processing that poses a significant risk to consumers without conducting and documenting a Data Protection Assessment. Examples of such activities include:

• processing personal data for targeted advertising or profiling that presents a reasonably foreseeable risk; 
• selling personal information, and 
• processing sensitive personal information.

Controllers are required to make the Data Protection Assessment available to the Attorney General upon request. The Connecticut Data Privacy Act also stipulates that if a controller conducts a data protection assessment to comply with another applicable law or regulation, it will be considered to satisfy the requirements of the Act.

California is currently developing rules on risk assessments. With more US states enacting their own data protection laws, the need for businesses to conduct Privacy Impact Assessments is rapidly increasing. This expanding legal landscape means that your organization will likely be subject to PIA requirements in the near future.

Understand the US data privacy landscape

Find Out More

How to conduct a Data Protection Assessment (DPIA)?

A Privacy Impact Assessment may concern a single data processing operation and could be used for multiple similar processing operations. It should take place early in the project's life, before the processing starts, and run alongside the planning and development process. 

Please remember the following: 

At a minimum, a PIA has to include:

1. a) a description of planned processing operations and the purposes of the processing,
2. b) an assessment of the necessity and proportionality of the processing,
3. c) an assessment of the risks to the rights and freedoms of data subjects, 
4. d) the measures envisaged to address the risks and demonstrate compliance with the law.

A. How to describe a process:

Describe how and why you plan to use the personal information, and consider the nature, scope, and context of processing by answering and documenting the answers to questions the same way you would when building a shelf for example:

• Gathering the Materials: How do you collect information? Is it through website forms, user accounts, or other sources?
• Building the Shelves: How do you store this information? Are you using secure databases or cloud storage solutions?
• Who Can Access: Who has access to the information you collect? Do you have controls in place to limit access?
• Keeping it Organized: How long will you store this information? Do you have a clear retention policy?
• Security Measures: What security measures are in place to protect the information you collect? Think encryption, firewalls, and access controls.
• Identifying High-Risk Areas: Are there any situations where your data handling practices could be risky? Do you match any categories of processing requiring a risk assessment under the law?
• What's on the Shelves: What type and volume of information are you processing? Is it primarily basic contact details, or are there more sensitive pieces of data involved?
• Sensitive Materials: Is any information you collect considered sensitive, like health data or financial information? If so, this requires extra care in handling.
• Where Does the Data Come From: Where is the information coming from? Is it directly from users, or are you acquiring it from other sources?
• Access and Control: What kind of access and control do individuals have over their information? Can they see, correct, or delete it if they want to?

B. How to assess necessity and proportionality

How does collected information help you to achieve the set purpose? Consider whether you can achieve the same goal with less information or without any information at all. Try answering and documenting the answers to questions such as the following:

• Why This Data: Ask yourself, "Why do I need this information?" Does it directly help you achieve your goal? For example, collecting someone's email for a newsletter signup is necessary for sending them updates. However, their birthday might not be.
• Less is More: Could you achieve the same goal with less information? You may only need a username instead of a full name and address. Aim for the minimum amount of data required to complete the job.
• Legal Grounds: What legal reason do you have for collecting this information? Do you have the user's consent, or is it legally required?
• Keeping it Fresh: How will you ensure the information you collect is accurate and up-to-date? Nobody wants a stale cake!
• Transparency is Key: Let people know what information you're collecting and how to use it. Be clear and upfront in your privacy policy.
• Respecting Choices: Give people control over their information. This means allowing them to access, correct, or delete their data if they want to.

C. How to identify and assess risk

Determining whether certain data processing constitutes a risk depends on its effect on the individuals. Assessing potential threats helps you understand what could go wrong and prepare a response. For example:

• Limited Access: Are there situations where people can't access or control their information? Imagine someone changing the recipe without you knowing!
• Losing Control of the Information: Could individuals lose control over their information if they accidentally share the recipe with the wrong people?
• A Bad Batch: Is there a risk of discrimination, financial loss, or reputational damage if the information you collect is misused? A data breach could be a severe issue.
• Physical Harm: Is physical harm possible after a data breach? This might concern data related to medical conditions or security systems, political beliefs, or data that can be grounds for a hate crime.
• Secret Recipe Exposed: Could the information you collect be easily accessed by unauthorized individuals?
• Unintended Consequences: If individuals' data is mishandled, will there be any other potential negative effects, like social or economic disadvantages?

Ideally, an impact assessment should include the risk, sources of risk, potential impact in case of a breach, and mitigation actions to minimize the implications for all data types. Similar to any other risk assessment, it should consider the likelihood and severity of the event.

D. How do we identify mitigating actions? 

The mitigation actions should address specific risks identified during the earlier stages of the risk assessment.

• Minimize:

• Avoid Collecting Unnecessary Data: If the Privacy Impact Assessment (PIA) reveals that you are gathering more information than necessary, consider not collecting certain non-essential information.
• Shorten Data Retention Period: Less data means fewer risks. Consider if you can reduce the duration for which information is stored. The PIA might highlight data that does not need to be retained for extended periods. Delete unnecessary data once it is no longer required.

• Implement Additional Security Measures:

• Strengthen Security: The PIA may identify security vulnerabilities. Take extra security measures such as encryption, access controls, and firewalls to protect the collected information.

• Privacy-Preserving Techniques:

• Anonymize or Pseudonymize Information: Remove personal identifiers or replace them with codes to protect privacy.
• Clear Communication and Processes:
  • Educate Personnel: Educate your staff on best practices for data privacy and provide clear guidelines for handling the collected information.
  • Empower Individuals: Establish a system that allows individuals to have more control over how their information is processed, including accessing, correcting, or deleting their data.

Last but not least, remember to document the measures you plan to take and whether they eliminate or reduce the risk. Whenever possible, record the residual risk.

It's important to regularly update the PIA. Establish a review period, at least once a year, or update it when there are changes in the scope of processing or new technologies affecting the previous assessment.

Useful resources:

• WP Guidelines on Data Protection Impact Assessment
• ICO Sample DPIA Template