Organizations collect vast amounts of data from their users, which ranges from personal information to website usage patterns to financial details. This data collection helps improve services, tailor experiences, and drive business growth. However, it can also bring significant risks related to data breaches and unauthorized access to or misuse of personal data.
A Data Protection Impact Assessment (DPIA) helps organizations identify these risks, implement necessary safeguards, and maintain regulatory compliance, specifically with the European Union’s (EU) General Data Protection Regulation (GDPR).
What is a Data Protection Impact Assessment (DPIA)?
A Data Protection Impact Assessment (DPIA) is a risk assessment process that helps organizations identify and reduce the risks to personal data they process. It involves examining how personal data is collected, handled, and stored, and ensuring there are adequate measures in place to protect individuals’ privacy and rights as they pertain to that data. Requirements for a DPIA are included in Art. 35 GDPR.
Conducting an effective DPIA enables organizations to detect and address potential problems at an early stage, helping prevent data breaches, avoid legal complications, and protect the organization’s reputation.
Who should implement a DPIA?
The GDPR can require the data controller to carry out a DPIA. A data controller is defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
While the data controller may appoint third-party data processors to carry out processing activities on its behalf, the responsibility for the DPIA remains with the data controller who is ultimately responsible for GDPR compliance and data security. The data processor should assist the controller in carrying out the DPIA by providing any necessary information, as required by Article 28(3)(f) GDPR.
If a Data Protection Officer (DPO) is appointed under the regulation, the controller must consult with the DPO when carrying out a DPIA. The advice given by the DPO and the decisions made by the controller should be documented within the DPIA.
The DPIA may be carried out by someone outside the organization, but the data controller remains accountable for ensuring that it is completed appropriately.
When is a DPIA required?
A DPIA is required whenever a processing activity, in particular using new technologies, triggers one of the obligations to conduct it under the law. Art. 35 requires a DPIA where data processing activities are “likely to result in a high risk to the rights and freedoms of natural persons.” According to the guidelines issued by the Article 29 Working Party (WP29), the predecessor of the European Data Protection Board (EDPB), these rights and freedoms include the rights to data protection and privacy, and may also include:
- freedom of speech
- freedom of thought
- freedom of movement
- prohibition of discrimination
- right to liberty, conscience, and religion
The GDPR specifically requires controllers to carry out a DPIA when:
- there is a systematic and extensive evaluation of personal aspects of individuals, including profiling and automated decision-making
- sensitive data, or data related to criminal convictions and offenses, is processed on a large scale
- publicly accessible areas are systematically monitored on a large scale
A DPIA may be required in other cases, and the controller must evaluate whether processing activities may result in a high risk to the rights and freedoms of individuals. Some examples from the WP29 and Recital 75 GDPR include cases where the processing:
- involves the use of new technologies
- involves matching or combining datasets from two different processing operations
- involves personal data of vulnerable individuals, including children
- is done to track behavior, location, or movements
- may give rise to significant economic or social disadvantage, including identity theft or fraud, discrimination, or financial loss
- may prevent data subjects from exercising control over their personal data
A DPIA can address either a single processing operation or multiple operations that share similar characteristics in terms of their nature, scope, context, purpose, and risks.
Exclusions from the DPIA requirements
There are two circumstances when a DPIA is specifically not required under the GDPR:
- when the processing operations fall under a list established by a supervisory authority or Data Protection Authority of an EU member state as not requiring a DPIA
- when the processing has a legal basis in EU law or in the law of the member state that applies to the controller, and that law specifically regulates the processing activity
At what stage should a DPIA be carried out?
A DPIA should be carried out before any type of processing begins that is likely to result in a high risk, ideally during the early planning stages of the project, new feature, or new use case. This early assessment helps identify and manage potential risks even if some processing details are still being finalized.
DPIAs are an ongoing activity, and the controller’s obligation doesn’t end once the initial DPIA has been carried out. If data processing has commenced for specific purposes, but the conditions of processing — such as purpose or type of personal data collected — change significantly and are likely to result in a high risk to individuals’ rights and freedoms, the controller must revisit the DPIA before these new processing conditions are implemented. If a DPIA was not initially required before data processing began but changes in processing conditions make it necessary, then it must be conducted when those new conditions arise.
What are the DPIA requirements under the GDPR?
There are certain minimum regulatory requirements for what a DPIA must include. The key components of a DPIA are:
- systematic description of the processing operations, including the nature, scope, context, and purposes of the processing
- assessment of whether the processing operations are necessary and proportional in relation to the purposes, to evaluate whether the same objectives can be met with less data or through less intrusive means
- identification and assessment of the likelihood and severity of potential risks to data subjects’ rights and freedoms
- measures to address and mitigate the risks, including safeguards and security measures such as encryption, access controls, and regular audits to protect personal data and demonstrate compliance with the GDPR
DPIAs under US law
There is no comprehensive federal data privacy law in the US, and a number of states have enacted laws to protect the personal data — often referred to as “personal information” in some laws — of their residents.
Many of these US state-level data privacy laws require controllers to conduct DPIAs. While there may be some variations among state laws, they are usually required in the following cases:
- processing of personal data for the purposes of:
- targeted advertising
- profiling
- sale of personal data
- processing of sensitive data (which usually includes children’s data)
- processing activities that present a heightened risk of harm to consumers
What constitutes “sensitive data” or “sensitive personal information” may differ across various laws, so controllers must ensure they follow the specific requirements of each applicable law.
States that require these assessments include Colorado, Texas, Maryland, Connecticut, Virginia, Nebraska, Oregon, and Tennessee, among others. California requires a DPIA under the California Privacy Rights Act (CPRA), which amended the California Consumer Privacy Act (CCPA).
DPIA procedure
The GDPR doesn’t specify a procedure for conducting a DPIA, giving controllers the flexibility to approach it in a way that effectively assesses risks and informs data processing decisions. The basic steps to conduct a DPIA are as follows.
1. Identify if a DPIA is required
The first step is to determine whether a DPIA is necessary before data processing activities begin. It may not be immediately clear if a DPIA is necessary, and controllers might realize it partway through the project. In such a case, controllers must ensure the DPIA is completed before they begin any processing activities or begin collecting data.
2. Consult the DPO, if appointed
Art. 35(2) of the GDPR makes it mandatory to consult the DPO if the organization has appointed one. The DPO’s advice must be documented in the DPIA and, if the advice is overruled, the DPIA must explain why.
3. Identify all parties to be consulted
Controllers must list all internal and external stakeholders to be consulted. This includes data processors and data subjects or their representatives. The DPIA must include their feedback on the processing activities and, if feedback is disregarded, why.
4. Document the nature, scope, context, and purposes of the data processing
Controllers should list all the data processing activities, including why and how the data is being processed. This should cover, among other things:
- what types of personal data are being collected and processed, including whether the data is sensitive, the volume of data, and how long it will be retained
- the source of the data, and whether it will be shared with any third parties
- how much control data subjects will have over the data, and whether any new technologies will be used in processing
- the intended effect on data subjects and benefits for the controller
5. Assess the necessity and proportionality
The GDPR requires controllers to evaluate whether the data processing is necessary and proportional to achieve the intended purposes, including determining the lawful basis for processing. Controllers should consider what information will be shared with data subjects in their privacy policy, how to achieve data minimization and data quality, and how international transfers will be handled.
6. Identify and assess potential risks
Controllers are required to identify and evaluate the potential risks to data subjects’ rights and freedoms, and outline measures to mitigate these risks. They must assess the likelihood and severity of each risk, considering factors like the nature of the data, the context of processing, and the potential impact on individuals. Controllers should develop a risk mitigation plan that includes specific measures such as encryption, anonymization, access controls, and regular security audits.
7. Validate and sign the DPIA
Controllers must validate and sign the DPIA once it is completed. This involves recording who approved the protection measures and any residual risks. Documenting the decision-making process and identifying those responsible for its implementation and authorization provides a clear record of the approval process.
There is no official template from the EDPB, and controllers that need structure or guidance to get started may use templates from Data Protection Authorities such as France’s National Commission on Informatics and Liberty (CNIL) or the UK’s Information Commissioner’s Office. Although the EU GDPR doesn’t apply to the UK post-Brexit, the UK GDPR is nearly identical to the EU version and includes the same provisions for DPIA requirements.
Conclusion and next steps
Conducting a DPIA is a vital practice for safeguarding personal data, maintaining data subjects’ trust, and avoiding reputational damage. By conducting a DPIA, organizations can identify and mitigate potential risks, ensuring that data processing activities are both secure and compliant.
Organizations should consult a qualified legal professional, privacy expert, or DPO to ensure compliance with the GDPR’s DPIA requirements and to implement the necessary safeguards effectively.