What's Inside
Learn more about data protection impact assessments and discover what you need to know to conduct one yourself.
Data Protection Impact Assessment for GDPR: How To Do It Right
Learn more about data protection impact assessments and discover what you need to know to conduct one yourself.
Get Started With Drata
The EU’s General Data Protection Regulation (GDPR) has several rules that organizations must follow to protect data. One of those requirements is to perform a Data Protection Impact Assessment (DPIA) in certain circumstances.
Do you need some guidance on how to manage these rules and requirements?
In this post we’ll walk you through DPIAs and explain what you need to know to conduct an effective one yourself.
A DPIA is a requirement under the GDPR. The goal is to show that you have processes in place and have put thought into:
Identifying the potential impact of your processing on individuals’ privacy rights.
Assessing the likelihood of any risks occurring, and how serious they may be.
Determining whether your current measures are appropriate to deal with those risk.
At its core, a DIPA is a way to document that your organization is being responsible with the data you collect and/or process. This is critical as volumes of data and privacy concerns continue to grow.
A DPIA isn’t just nice to have. For many organizations, it’s necessary to stay in compliance with the GDPR. According to the regulation, this is when a DPIA is necessary:
“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
Similar to other modern frameworks, this requirement is based on risk. For example, if you track people’s locations or behavior, process special categories of personal data, or monitor a publicly accessible place, you would need to complete one of these assessments to be in compliance with the GDPR.
For compliance purposes, you must conduct the DIPA prior to launching the project or processing activity. Beyond that, whenever there is a change that could impact your assessment, you should go through the process again.
Those changes include these common scenarios:
You need to change existing processes which collect new types of information about individuals.
You want to use data in ways not previously done before.
Your method of collecting and processing data is changing significantly.
A system is being outsourced (either internally or externally).
Your company is offering a new product or feature that involves special categories of data such as political opinions or religious beliefs.
There are other scenarios where conducting a DPIA again would make sense. The important thing is to think through any major differences in how you manage data. As your processes and uses of information evolve, your assessments should too.
All those involved in how an organization processes personal data should also be involved in the process of creating and approving a DPIA. For most organizations, this includes a minimum of four role types.
The person or organization that determines why personal data is collected, stored, and processed. They’re responsible for ensuring that any processing activities are lawful and comply with the GDPR. This could include HR managers or other business leaders responsible for managing employee records.
The person or organization contracted to process personal data on an organization’s behalf. Internally, this is likely to include your IT team. If you outsource any of this work, you may also need involvement from an external team.
A member of staff whose role includes advising on security or privacy matters affecting privacy rights. This person should have knowledge of the company’s cybersecurity or privacy processes and policies.
If your organization has established a DPO as part of your compliance with Article 37 of the GDPR, they should be involved in the DPIA as well.
When you go to complete the assessment, the GDPR has a set list of features that every DPIA must include.
Here’s a closer look at what those are:
A description of the processing operations and the purposes of the processing
An assessment of the necessity and proportionality of the processing
An assessment of the risks to the rights and freedoms of data subjects
Measures envisaged to address the risks and demonstrate compliance
These guidelines act as a framework to help you understand DPIA requirements. The following steps provide a more concrete path to put your assessment together.
First, you need to have an internal understanding of where you store personal data and how you plan to (or already) use it. This information acts as the basis for the rest of your assessment.
What are you currently doing to ensure that data is secure and private? Are there specific risks that your organization faces that you need to be aware of? To answer these questions, you’ll need to look at existing documentation, and how any previous security or privacy issues were addressed.
At this stage, you should be able to recognize where you have any gaps. Then, you can look at data security to see what additional steps you can take to improve your security.
You’ve put the work in, now you have to make sure that you document it. If you need help organizing your assessment, you can use this helpful template to organize information and gain more insight into the process.
Finally, take action on anything that you uncover during your DPIA. If there are security risks or better ways to protect data, take steps to address them as soon as possible.
Keep Reading
Take Your Learning Further
Discover research, guides, templates, and other resources on risk management.