Since their inception, much has been written and discussed about Data Privacy Impact Assessments (DPIAs), a term introduced by the EU General Data Protection Regulation (GDPR). A DPIA is a process designed to describe data processing that is likely to result in high risk to the rights and freedoms of data subjects. DPIAs are usually conducted before any data processing activities occur. The consideration of a DPIA is necessary when data processing or the use of new technology is likely to pose a high risk to the rights and freedoms of data subjects.
A DPIA is not to be confused with a Privacy Impact Assessment (PIA). A PIA is a process that identifies and documents data behaviors across processes, products, and systems that contain personal information, and establishes how the potential privacy is managed and protected. It is a type of assessment that analyzes the activities of a project and determines how those activities may pose a risk to the privacy of the project’s participants. PIAs are conducted for the establishment of new or improved projects, developments or undertakings and can be performed regardless of the criticality or sensitivity of risk and information.
The European Commission offers additional insight into the difference between a DPIA and PIA.
Before conducting a DPIA, it is important to understand and outline its lifecycle. Different supervisory authorities and regulatory bodies have defined different methodologies:
- The UK’s Information Commissioner’s Office (ICO) published guidance for how to perform a DPIA.
- The Personal Data Protection Commission (PDPC) of Singapore provides an outline of key principles and considerations to address specific personal data protection risk to be referenced when conducting a DPIA for systems and processes.
- The Canadian Government’s Office of the Privacy Commissioner (OPC) provides an abundance of direction and tools for performing DPIAs.
- The International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) standard ISO/IEC 29134:2017 provides guidelines for conducting DPIAs, which include the structure and content of a DPIA report.
So, how can one conduct a DPIA, and what is the right methodology for doing so? The most effective approach for any individual or organization conducting a DPIA is to follow a Plan-Do-Check-Act (PDCA) model (figure 1).
Figure 1—Is a DPIA Necessary?
Plan Phase (Preparation)
The plan phase is the most critical phase of the DPIA and begins by asking a very basic question: Is a DPIA necessary? The threshold for the obligation to conduct a DPIA is assessed first. This may be assessed based on the specification issued by EU supervisory authorities or by an initial assessment of the fundamental rights interference of and risk posed to the data subject. GDPR also mandates when to conduct a DPIA in Recital 91.
Furthermore, a description of the target of evaluation, namely the intended data to be processed, must be given. This includes a description of the related processing purposes, actors involved, data subjects concerned and the identified legal ground(s) and the operational/organizational context. The most thorough way to document this is to create a map of information flow. Information flows help identify the touchpoints through which information flows, including its relationships with internal and external bodies, indications of data that have been processed and where data are stored within the organization and its business units.
This is also the stage during which data protection risk factors and potential attackers are identified. Subsequently, an assessment of the risk and the identification of suitable (technical and organizational) mitigation measures must be conducted, followed by a documentation of evaluation results including an analysis of residual risk. The identification and assessment of such risk is important because when deciding how to address data protection risk and assessing the relative costs of each data protection solution, decision makers will consider all risk factors that arise.
Implementation Phase (Execution)
In the implementation phase, data protection solutions must be determined. This may include technical, organizational, administrative, or legal measures that lead to a positive result, either by eliminating or at least mitigating the identified risk in such a way that the residual risk is controllable. Organizations may choose to adopt the recommendations of ISO/IEC 29134 for risk treatment. For example, an organization may use a new application or conduct a new process to reduce risk, depending on the scope of the assessment, the context of risk management and/or the industry sector.
Check Phase (Review)
The check phase involves a coherent test, release and documentation activity in the context of measures implementation. Monitoring, measurement, analysis and evaluation of the controls and risk treatment plans are conducted to ensure effectiveness of the controls and compliance with data privacy requirements. A detailed DPIA report should be published in accordance with the guidelines mentioned in ISO/IEC 29134.
Act Phase (Improvement)
The act phase is a continual cycle that involves addressing data processing again whenever its legal and/or factual circumstances change in any way (e.g., other/more controllers, processors, recipients, data subjects, change of technical tools). In other words, the DPIA cannot be a conclusive assessment. Rather, it is a tool for assisting legally compliant processing and decision-making, which should be applied as a continual process with updates when necessary.
Conclusion
Because DPIAs are a new requirement of modern data privacy laws and regulations, there are still many uncertainties regarding the most feasible approach to conducting them. Nonetheless, a DPIA can be a helpful tool for identifying risk to the rights and freedoms of data subjects foreseeably caused by an intended data processing operation. The DPIA functions as an early warning mechanism for any data controller, allowing risk to be more easily identified and addressed.
The goal of any DPIA must be to reduce the level of interference through the implementation of technical and organizational measures. The realization of the final report’s recommendations and the implementation of such measures should be monitored. How implementation is carried out may depend on the organization and its circumstances. However, the DPIA must follow a supervision and revision cycle (such as the PDCA life cycle of a management system). If changes occur within data processing operations, the DPIA phases must be repeated.
Hafiz Sheikh Adnan Ahmed, CGEIT, CDPSE, GDPR-Certified Data Protection Officer, ISO MS Auditor, ISO MS Lead Implementer
Is a chief governance, risk and compliance (GRC), information security and data privacy advisor with more than 16 years of industry experience in the fields of GRC, information and cybersecurity, data privacy, business continuity, and risk management as a lead auditor and lead implementer. He is a Microsoft Certified Trainer, PECB Certified Trainer and ISACA-APMG Certified Trainer. He is an experienced speaker and conducts regular training, workshops, and webinars on the latest trends and technologies in the fields of digital transformation, information and cybersecurity, and data privacy. He also serves as a board member of the ISACA® United Arab Emirates (UAE) Chapter and volunteers at the global level of ISACA in different working groups and forums. He can be contacted through email at hafiz.ahmed@azaanbiservices.com and LinkedIn at http://ae.linkedin.com/in/adnanahmed16