Under the GDPR, DPIAs (data protection impact assessments) are mandatory for data processing that is “likely to result in a high risk to the rights and freedoms of data subjects”.
Effectively a type of risk assessment, DPIAs assess how these high-risk data processing activities could impact data subjects.
Failure to adequately conduct a DPIA where required constitutes a breach of the GDPR.
Breaching the GDPR could lead to administrative fines of up to 2% of your organisation’s annual global turnover or €10 million – whichever is greater.
So, it’s essential to get it right.
This DPIA checklist outlines the seven key elements of the DPIA process flow.
Step 1: Identify the need for a DPIA
You’ll need to conduct a DPIA for data processing that is “likely to result in a high risk”.
But the GDPR doesn’t define “likely to result in a high risk” – so what does it mean?
Although the goal of the DPIA itself is to identify “high risk” in detail, you’ll need to screen for any red flags that indicate that you need to do a DPIA.
As a starting point, Article 35(3) sets out three types of processing that always require a DPIA:
1) Systematic and extensive profiling with significant effects:
(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
2) Large-scale use of sensitive data:
(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10.
3) Public monitoring:
(c) a systematic monitoring of a publicly accessible area on a large scale.
Beyond this, the ICO (Information Commissioner’s Office) offers an extensive list of examples of processing “likely to result in high risk”.
Below is a simplified chart:
One way to quickly and easily determine whether or not a DPIA is required is to use a dedicated software tool, such as the DPIA Tool.
All you’ll need to do is answer some quick screening questions, and you’ll be advised whether a DPIA is mandatory, advisable or not required.
If you are confident that your processing is unlikely to result in a high risk, you may be able to justify a decision not to carry out a DPIA. You should document your reasons for this.
Step 2: Describe the processing
You’ll need to explain precisely how and why you plan to use the personal data you are processing.
This description of the process will be useful evidence and justification for your decision whether or not to conduct a full DPIA.
Your description should outline “the nature, scope, context and purposes of the processing”.
Let’s take a look at each of these terms in more depth:
The nature of the processing is what you plan to do with the personal data. Many different types of personal data processing can be identified in the GDPR:
When describing the nature of the processing, you should outline:
- How you will collect and store the data.
- Who has access to the data, and who you’ll share it with.
- Whether or not you use any processors.
- How long you will retain the data.
- What security measures you have in place to protect the data.
- Any new technologies or novel types of processing used.
The scope of the processing defines what the processing covers. When documenting the scope of the processing, you should detail:
- The nature of the personal data.
- The volume and variety of the personal data.
- The sensitivity of the personal data.
- The extent and frequency of the processing.
- The duration of the processing.
- The number of data subjects involved.
- The geographical area covered.
Describing the context of the processing requires you to consider the bigger picture.
This includes any factors, internal or external, that could affect the expectations or impact, such as:
- The source of the data.
- Your relationship with the individuals.
- How much control individuals have over their data.
- How likely individuals are to expect the processing.
- Whether the individuals include children or other vulnerable people.
- Any relevant advances in technology or security.
- Any current issues of public concern.
Finally, you’ll need to explain the reason why you want to process the personal data. This should include:
- Your legitimate interests (where relevant).
- The intended outcome for individuals.
- The expected benefits for you or society as a whole.
Software can help speed things up here, too.
The DPIA Tool includes a process description questionnaire, divided into four sections: scope, nature, context and purpose.
Answering all the questions will help you quickly create a systematic description of your processing activities.
Step 3: Consider consultation
Unless there is a good reason not to, you are required to seek and document the views of individuals (or their representatives).
In most cases, consultation should be possible in some form. Let’s take a look at two common scenarios:
1) You’re processing the data of existing contacts
If you’re processing the data of existing contacts – say, existing customers or employees – you should design a consultation process to seek the views of those involved.
2) You plan to collect the personal data of individuals you have not yet identified
In this scenario, you may need to carry out a more general public consultation process. This could comprise market research within a certain demographic or contacting relevant consumer groups for their opinions.
If, after consultation, your DPIA decision goes against the views of the individuals, you’ll need to document your reasons for disregarding their views.
Keep in mind that consultation won’t always be appropriate.
For example, if it could compromise commercial confidentiality, or pose a risk to security, it is reasonable to forgo the process.
However, if you decide to do so, you should record this decision as part of your DPIA, with a clear explanation.
Step 4: Assess necessity and proportionality
First of all, let’s examine what’s meant by necessity and proportionality.
Necessity is a fundamental principle when assessing the lawfulness of the processing of personal data.
It requires that your processing operations, retention periods and the categories of data processed are necessary only for the purpose of the processing.
Proportionality is a general principle of EU law.
In the context of personal data processing, it requires that you only collect personal data that’s adequate and relevant for the purpose of the processing.
In accordance with the Article 29 guidelines, you should outline how you ensure data protection compliance. This is a good measure of necessity and proportionality.
Specifically, you should include relevant details of:
- Your lawful basis for the processing.
- How you plan to prevent function creep.
- How you intend to ensure data quality and data minimisation.
- How you plan to provide privacy information to individuals.
- What measures you take to ensure your processors comply.
- Any safeguards you have in place for international transfers.
The principles questionnaire included within the DPIA Tool will help you quickly assess the necessity and proportionality of processing.
It consists of eight sections covering the individual principles of data protection, data subject rights and measures to protect data subjects:
Answering the questions will show if and how the process in question upholds the data protection principles and data subject rights.
Step 5: Identify and assess risks
It’s important to consider any harm or damage your processing may cause to the individuals involved. This could be physical, emotional or material.
In particular, you should consider whether the processing could contribute to significant economic or social disadvantage. This includes:
- Inability to exercise rights.
- Inability to access services or opportunities.
- Loss of control over the use of personal data.
- Identity theft or fraud.
- Financial loss.
- Reputational damage
- Physical harm.
- Loss of confidentiality.
- Re-identification of pseudonymised data.
To assess whether the risk is high, you need to take into account both its likelihood and severity of the possible harm.
A risk assessment matrix provides a simple way of doing that, quantifying the risk using a simple scoring system:
Alternatively, the DPIA Tool includes everything you need to make an objective assessment of the risks.
Based on your risk assessment, you need to establish the criteria for accepting risks.
Generally speaking, there are three main criteria for this: broadly acceptable, tolerable and intolerable. Here’s how it looks in practice within the DPIA Tool:
It’s worth also considering your own corporate risks, for example, the impact of regulatory action, reputational damage, or a loss of public trust.
Step 6: Identify measures to mitigate risks
Now that you have evaluated the risks posed by your processing, you then need to consider ways to reduce that risk.
This could include:
- Refraining from collecting certain types of data.
- Taking additional technological security measures to protect the data.
- Training staff to ensure that risks are anticipated and managed.
- Anonymising or pseudonymising data.
You’ll need whether the measure would reduce or eliminate the risk.
Take into account the costs and benefits of each measure when deciding whether or not they are appropriate.
Step 7: Sign off and record outcomes
To conclude your DPIA, you will need to record:
- Any additional measures you plan to take.
- Whether each identified risk has been eliminated, reduced or accepted.
- The overall level of ‘residual risk’ after taking additional measures.
- Whether or not you need to consult the ICO.
It’s important to remember that you do not always have to eliminate every risk.
You might decide that some risks are acceptable, given the benefits of the processing and the difficulties of mitigation.
However, if there is still a high risk, you will need to consult the ICO before you can go ahead with the processing.
You don’t need to be a GDPR expert to complete a DPIA
Save time, reduce errors and easily demonstrate how you comply with your data protection obligations with the DPIA Tool.
Suitable for organisations of all sizes, this easy-to-use tool will speed up and simplify the DPIA process.
- Quickly determine whether you need to conduct a DPIA;
- Conduct consistent, comprehensive DPIAs;
- Identify risks and determine the likelihood of their occurrence and impact;
- Easily review and update DPIAs when changes in processing activities occur; and
- Easily share information with stakeholders and your supervisory authority.
A version of this blog was originally published on 4 September 2019.