#4 Data Privacy Best Practice: Carry out an Internal Data Privacy Impact Assessment (DPIA)
My last posts have looked at how the hypothetical software company BizConnect should approach a) drafting a GDPR compliant privacy policy b) self-certifying under the Privacy Shield for transfers of EU personal data and c) adopting GDPR model rules for transfers of EU personal data.
This post examines whether BizConnect should conduct a DPIA.
What is the Data Privacy Impact Assessment (DPIA)? When is it mandatory?
The GDPR requires data controllers to conduct a DPIA under certain circumstances. It also requires data processors to assist data controllers (when asked) in the completion of their DPIA.
Definitions Recap:
What is a Data Controller? The Data Controller is the entity, which determines the purposes and means of the processing of Personal Data.
What is a Data Processor? The Data Processor is the entity, which Processes Personal Data on behalf of the Data Controller.
What is Personal Data? “Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations).
Who are Data Subjects? Data Subjects are the individuals to whom the Personal Data relates.
BizConnect is the Data Processor; its enterprise customers in the EU are the Data Controllers; and the enterprise customer’s employees are the Data Subjects whose personal data is governed by the GDPR.
The UK's Data Protection Authority ("DPA"), the Information Commissioner's Office ("ICO"), offers helpful guidance on the types of situations where a DPIA must be done; and what should be covered by a DPIA. The following information relating to DPIAs comes directly from the UK DPA’s guidance on Article 35 of the GDPR.
There are three types of situations where the DPIA is required. They include:
1. A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
2. Processing on a large scale of special categories of data referred to in Article 9 (1) or of personal data relating to criminal convictions and offences referred to in Article 10 or
3. A systematic monitoring of a publicly accessible area on a large scale.
When a DPIA should be done:
1.Systematic and extensive profiling or automated decision-making to make significant decisions about people.
2. Processing special category data or criminal offense data on a large scale.
3. Systematically monitor a publicly accessible place on a large scale.
4. Using new technologies.
5. Using profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity, or benefit.
6. Carrying out profiling on a large scale.
7. Processing biometric or genetic data.
8. Combining, comparing or matching data from multiple sources.
9. Processing personal data without providing a privacy notice directly to the individual.
10. Processing personal data in a way which involves tracking individual’s online or offline location or behavior.
11. Processing children’s personal data for profiling or automated decision-making or marketing purposes, or offer online service directly to them.
12. Processing personal data which could result in a risk of physical harm in the event of a security breach.
When a DPIA may be done:
1. Evaluation or scoring.
2. Automated decision-making with significant effects.
3. Processing of sensitive data or data of a highly personal nature.
4. Processing on a large scale.
5. Processing of data concerning vulnerable data subjects.
6. Innovate technological or organizational solutions.
In the above situations, if a DPIA is not carried out, it is recommended to document the reasons.
What a DPIA should cover:
1. The nature, scope, context, and purposes of the processing.
2. Ask data processors to help understand and document their processing activities and identify any associated risks.
3. Consider how best to consult individuals (or their representatives) and other relevant stakeholders.
4. Consider how best to consult individuals (or their representatives) and other relevant stakeholders.
5. Ask for the advice of the Data Protection Officer.
6. Check that the processing is necessary for and proportionate to the purposes, and describe how to ensure data protection compliance.
7. Do an objective assessment of the likelihood and severity of any risks to individuals’ rights and interest
8. Identify measures to put in place and eliminate or reduce high risks.
9. Record decision-making in the outcome of the DPIA, including any difference of opinion with the DPO or individuals consulted.
10. Implement the measures identified, and integrate them into the project plan.
11. Consult the ICO before processing, if the risks are high and cannot be mitigated.
12. Keep the DPIAs under review, and revisit them when necessary.
The UK Data Protection Authority (DPA) recommends doing a DPIA as a way to demonstrate GDPR compliance. They quote from the WP29 (working party of GDPR guidelines), “….DPIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also demonstrate appropriate measures have been taken to ensure compliance with the Regulation. In other words, a DPIA is a process for building and demonstrating compliance.”
For BizConnect, a DPIA is not likely mandatory. However, it will be a helpful exercise for them to think about the DPIA requirements. Also if any of their customers acting as data controllers asked them to assist with their DPIA, they would be required to do so. They would not be starting from scratch if they started the DPIA exercise.
Why is it good idea to start process with data mapping exercise? Starting with a data mapping exercise helps BizConnect understand it roles and responsibilities with respect to GDPR. It needs to understand the flow of personal data from an EU user, who is deciding the purpose and use of that personal data, and what other parties BizConnect is using to help them process the personal data.
In conducting this data mapping exercise, BizConnect should think about where the points of weakness are for data security. When data is in transit, is it encrypted? When data is at rest, is it password protected? Are there training of persons who have access to personal data?
For BizConnect, it has not done a SSAE16 audit, but it’s data hosting provider, Amazon Web Services, has done this audit. That is helpful for security practices.