The General Regulation on the Protection of Personal Data (GDPR) requires data controllers to carry out data protection impact assessments (DPIAs) for certain processing operations, in order to ensure that the processing complies with data protection principles. These analyses form an integral part of the documentation required to demonstrate compliance.
In the event of non-compliance with these obligations, the maximum penalty is 10,000,000 euros or 2% of worldwide annual revenue for the previous financial year, whichever is greater.
This guide explains what a data protection impact assessment is, when it is required and how it should be carried out.
- Privacy risk
- Criteria for use
- When should the DPIA be carried out?
- Who carries out the DPIA?
- What content?
- How is it done?
The data protection impact assessment is a compliance mechanism provided for by Article 35 of the GDPR.
The analysis consists in identifying and minimizing the risks of infringement of the rights and freedoms of data subjects in a personal data processing operation.
The DPIA breaks down into three parts:
A detailed description of the processing implemented, including both technical and operational aspects;
The assessment, of a more legal nature, of necessity and proportionality with regard to non-negotiable fundamental principles and rights (purpose, data and storage periods, information and rights of individuals, etc.), which are laid down by law and must be respected, whatever the risks;
The more technical study of data security risks (confidentiality, integrity and availability) and their potential impact on privacy, which enables us to determine the technical and organizational measures needed to protect data.
A "privacy risk" is a scenario describing:
- a feared event (breach of confidentiality, availability or integrity of data, and its potential impact on the rights and freedoms of individuals) ;
- all the threats that could lead to its occurrence.
It is estimated in terms of severity and likelihood. Severity must be assessed for the people concerned, not for the organization.
A single DPIA can be used to assess several processing operations that are similar in nature, scope, context, purposes and risks. For example, several municipalities can carry out a single DPIA for a video protection system using the same technology and serving the same purposes.
Criteria for conducting a DPIA
An impact analysis must be carried out whenever the processing operation entails a high risk for the rights and freedoms of the persons concerned.
By rights and freedoms, we mean not only the right to privacy, but also other fundamental rights, such as freedom of movement, non-discrimination, the right to life, etc.
In any case, an AIPD must be carried out in the following situations:
Either the proposed processing operation is included in the list of types of processing operations (attached) for which the CNIL (for France) has deemed it mandatory to carry out a data protection impact assessment.
Either the processing operation meets at least two of the nine criteria set out in the G29 guidelines:
- evaluation/scoring (including profiling)
For example, a processing operation that analyzes Internet users' habits in order to create behavioral or marketing profiles.
- automatic decision with legal or similar effect
The processing leads to an automated decision with legal effect on the person or is intended to assist in a decision that has a legal effect on a person or significantly affects him or her. For example, the processing leads to discrimination or exclusion. If the processing leads to very little effect, it will not be concerned.
- systematic monitoring
Processing is used to observe, monitor or control data subjects. People cannot avoid this treatment. For example, systematic surveillance on networks or in the public space.
- collection of sensitive or highly personal data
Sensitive data (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic or health data, biometric data and data concerning life or sexual orientation) or highly personal data (data relating to electronic communications, location data, financial data, etc.) and data relating to criminal convictions, offenses or security measures.
- large-scale collection of personal data
There is no threshold, applicable to all situations, above which processing is considered to be carried out on a "large scale". Consideration must be given to the number of data subjects, the volume or spectrum of data, the duration or permanence of the processing, and the geographical scope of the processing. In practice, the same criteria should be used as for the appointment of the DPO.
- data cross-referencing
This involves the cross-referencing of data from different processing operations carried out by one or more data controllers, which would exceed the data subject's reasonable expectations. In other words, what processing can the data subject expect in the context of the data collection? The more unexpected or surprising it is, the more it will exceed reasonable expectations.
- vulnerable persons (patients, the elderly, children, etc.).
This refers to data relating to people who would find themselves in a situation of increased imbalance in their relationship with the data controller. For example, data relating to patients, the elderly, children, asylum seekers, etc. To a certain extent, this may involve data relating to employees, in view of the relationship of subordination with the employer.
- innovative use (use of new technology)
The use of a new technology or an innovative use must correspond to something for which we have little or no control over the personal or social consequences, and for which we have insufficient hindsight on the impact on the people concerned. For example, Internet of Things applications or the combination of fingerprint and facial recognition for access control.
- exclusion from the benefit of a right/contract
Operations that authorize, modify or refuse access to a service or the conclusion of a contract. For example, a scoring tool for a bank loan.
It is also recommended to take into account the following criterion:
Data transfers outside the EU: the transfer of data outside the European Union taking into consideration the country of destination, the possibility of onward transfers (Recital 116 of the GDPR).
Each supervisory authority in the EU has published a list of processing operations for which a DPIA is not mandatory (see CNIL list in appendix). This concerns the most common processing operations, particularly for companies with fewer than 250 employees.
A DPIA is also not required if the processing is necessary to comply with a legal obligation to which the data controller is subject, or necessary for the performance of a public service mission entrusted to the data controller, and a DPIA has been carried out by the public authority.
When to carry out the DPIA?
Wherever possible, the DPIA should be carried out before the processing operation is implemented. In fact, it enables you to anticipate the measures to be taken to ensure compliance with the GDPR.
**For example, in the case of the installation of a video surveillance system requiring a DPIA (systematic surveillance of vulnerable individuals, for example), it should be started before the installer is involved, and the process should be carried out with him.
Who carries out the DPIA?
The subcontractor is obliged to assist the data controller in carrying out the DPIA.
DPIA must be carried out by (or on behalf of) the data controller. In practice, the following people will need to be involved:
- The DPO
- The business team (the project owner and the project manager, depending on the context)
- The CISO
- Subcontractors involved in data processing
- If necessary, in case of complexity, an external consultant
- The Works Council, in the case of data processing concerning employees
- Data subjects, via public inquiries where appropriate
The actions of those involved must be documented in the analysis.
Content of the DPIA
The analysis must contain the following elements:
- Description of the intended processing and purposes
- An analysis of the necessity and proportionality of the processing operation
- An analysis of the risks to individuals' rights and freedoms
- The measures envisaged to :
- Address the risks
- Demonstrate compliance with the GDPR
How to complete the DPIA?
The DPIA consists of a document. This document can be paper, in the form of an analysis report for example, or digital, using software. What's important is that the risks are identified and analyzed.
DASTRA has developed a specific method inspired by the Data protection authorities (such as the CNIL in France) for carrying out privacy data privacy impact analysis. On top of this, it is also possible to create your own DPIA template.
To find out more, don't hesitate to create an account in Dastra or contact us!
How does DPIA conclude?
The DPIA identifies measures to mitigate the high risk. In this way, the risk is reduced from high to acceptable (or low).
If and only if the risk is acceptable (or low), then the data processing activity can be implemented.
If, after analysis, the so-called residual risk is still considered high despite the measures envisaged, then the data protection supervisory authority must be consulted. The data protection authorities will issue an opinion within 2 months (which can be extended by a month and a half) to decide on the fate of the processing operation and, if necessary, indicate the measures to be implemented to ensure that it is carried out.