One of new requirements within EU General Data Protection Regulation (GDPR) is also a requirement of data protection impact assessment to be carried out where a type of processing and/or using new technologies is likely to result in a “high risk to the rights and freedoms of natural persons”.
There are several questions organization must answer about the process being observed, before the decision about full DPIA is taken. Here are some examples:
- Is it possible for new process to contain high risks for persons being involved (e.g. identity theft, disclosure of some habits, biometrical data, …)
- Do we (intend to) process data according to Article 9 or 10 GDPR?
- Do we systematically monitor publicly accessible area?
- Does our processing include automatic processing, profiling, …?
- Do we already collect personal data needed for this process?
Not all technologies and processes are required to perform DPIA for (remember “high risk” above), nevertheless organization may benefit of it if at least minimum evaluation of impacts to personal rights is being carried out before and with any and each project where personal data are involved. It might happen, that a result of the evaluation will be slightly reformed process, which will lower the amount and/or sensitivity of personal data being stored still maintaining all the necessary functionality.
When organization decides to carry full DPIA on for specific process, the very first step is to establish the scope personal data will be used. The next crucial step is to document the use personal data including (but not limited to) definitions of specific data items to be processed, retention timescales, transferal of the data, ….
After scope and use of personal data is thoroughly documented, it is time to identify and analyze the risks. It is crucial all interested parties are included in identifying the risks. While analyzing, it is suggested to use the Likeood+Impact evaluation criteria. If impact criteria are being split to different areas (e.g. Customer impact, Impact on reputation, …) it is suggested, that the highest level of impact is being taken into account calculating RAG risk score table.
The classification and thorough documentation of the risks is crucial to next phase, where organization is to evaluate risks and define risk treatment plans. Besides standard risk treatment options (Modify, Avoid, Share) I dare to suggest the fourth one called Revise, where a revision of process or part of process is requested. Although Revise is usually a part of Modify, the fourth action will implicitly stress there is a need to do something in very different way.
Above evaluation produces Data Protection Impact Assessment Report as crucial DPIA document.
However, with “The Report” our job is not finished yet. We need to get proper management approvals (especially for risks being evaluated as residual), potentially consult supervisory authority and implement risk treatment actions. Further on, we need to implement constant risk monitoring and reporting using key performance indicators supported by roles and responsibilities identified within the evaluation process.
Although careful data protection impact assessment seems to be just another requirement of over-bureaucratic European bodies, it is indeed a fundamental part of a successful personal data handling project. Only by understanding its processes an organization will be able to properly manage potential issues and risks to personal data avoiding unwanted publicity or even costly penalties.