Big school of GDPR - lesson 8: DPIA (Data Protection Impact Assessment)

Big school of GDPR - lesson 8: DPIA (Data Protection Impact Assessment)
Fotolia

DPIA is the heart of GDPR. At its core, GDPR wants to restore control of personal information to owners through a change of thinking about them, and responsible behavior towards personal data at the social level can only be achieved by educating generations that are conscious of risks of irresponsible or malicious use of personal data.

We are all aware of the secrecy of the PIN for our payment card. All of us access the online store with a bit of precaution. While we are very careful when entering a card number, we enter the name and last name on that same web shop without any problems. As we have become aware of the importance of personal data related to a bank account, we will create awareness of other categories of personal information in the coming years. Personal information in information systems creates our digital identity - a set of data that uniquely identifies us and says something about us.

The greater the amount of data stored on information systems, the greater the possibilities of their analysis. Today our movements are monitored by telecom operators, banks, taxi companies, technical protection companies... Consumer habits are monitored by banks, shops. It's incredible where we all leave information about ourselves, our children, our families, our friends ... Possession and processing of these information has become a matter of political power, market dominance, profit ... DPIA is nothing more than an understanding of the risk associated with the collection and processing of personal data. Systemic, repeatable, transparent and practical.

Transparency creates trust

The only problem in this is that our data is our (after all they are personal, right?), and the risk assessment associated with their improper use, protection and leakage should be done by those who collect and process them. In order to create trust between the owners of the personal data (the respondents) and the organizations that collect and process them (processing manager and processing operator), it is recommended that DPIA results are published publicly. Be transparent. Publish a list of personal data processing, with processing purposes, conditions and bases for processing, together with DPIA results and protection measures. Ideally, you will make this post on a separate part of the web site that you will call "Privacy" or something similar. You will do this in a simple and straightforward manner that will illustrate how much you appreciate your customers and the attention you give to their safety.

When do we need DPIA?

DPIA should be implemented whenever there is a likelihood that some data processing may result in a high risk for an individual's rights and freedoms. This particularly applies to the introduction of new technologies such as biometric readers, face recognition, as well as new IT services that process personal data.

The problem with DPIA is that you do not know the probability of high risk of processing until you conduct DPIA. At least to some extent. Everyone will develop the DPIA methodology that best suits the internal organizational culture and that will best match the already existing risk assessment methodologies. Guidelines of the EU GDPR Working Group recommend that DPIA be implemented when necessary but also when you are not sure if it is needed. Well-developed DPIA will be based on information gathered on the processing method, the protective mechanisms, the type and amount of data processed, the right of access to data, the reasons for processing and any other information that may in any way affect the processing security and the impact on the respondent. Such a DPIA will require a not negligible amount of time and resources. You do not want that. Instead, divide the process into several phases:

  1. Does processing involve personal information?
  2. If yes, how many are there, and what kind are they. If not, you do not need DPIA?
  3. If there are many and/or they are special categories of personal data, conduct the DPIA. If not, enter the processing, along with the reasons for non-implementation of DPIA, into your personal data processing register.

It is wise to have a list of IT services as prescribed by good information management practices, and include the data on DPIA implementation into dana on IT service. With a little effort, the registry of processing and the IT service register could become one.

DPIA must be carried out for any personal data processing that could result in high risk irrespective of whether it is systematically repetitive within an established IT service or a one-off processing that may be trivial, such as exporting and processing data in an Excel table on your laptop, or a complex data analysis through OLAP cubes, data warehouse or data lake. To determine if a DPIA is to be conducted for some processing, you can also take the following guidelines:

  • Is it profile processing or evaluation of the respondent?
  • Does the processing aid to automatic decision-making with significant impact on the respondent?
  • Is it the systematic monitoring of the respondents?
  • Does the processing involve the sensitive personal information?
  • Is it extensive processing of large amounts of data?
  • Do you combine the data from multiple sources?
  • Does the processing involve data of particularly vulnerable groups of respondents?
  • Is it an innovative application of new technologies (e.g. facial recognition)?
  • Does processing include data transfer across EU borders?
  • Can processing affect the rights of respondents?

What does a large amount of data mean for you, this is again a matter of data type. A DVD with a recorded testimony of a secret witness in the court proceeding can be a large amount of data, while a database with a thousand data on union members does not have to be.

How to conduct DPIA?

However you do it, DPIA must be carried out before the processing it relates to. The lack of detailed processing information may not be a pretext for a postponement. If you are wise, DPIA will become an integrated part of information security risk management. So, it will either be carried out continuously or will be in close connection with the process of managing change and projects. Like risk assessment of information security or operational risk in general, DPIA must be sensitive to changes in the risk environment.

Processing manager is responsible for DPIA, i.e. the organization that collected the personal data on an acceptable basis. If processing data is handed over to another (processing operator) and he must conduct the DPIA, but the final responsibility is on the processing manager. DPIA can also be conducted by a third party, which will be the most common case when data is entrusted for processing to an external processing operator.

The DPIA implementation methodology needs to take into consideration enough parameters to give credible results, must be repeatable, documented and above all, must be designed so as not to burden (too much) the existing processes.

Methodology based on scenario analysis has proved to be quite effective. Given that DPIA is initially being implemented for change (introduction of new processing or IT service), it is expected that there will be a project team in charge of its implementation. This team till have the majority due to its core duty, if not all the necessary competencies to evaluate DPIA. What they will miss they will search outside the team, or outside the organization when needed. This is primarily the case for information security specialists specializing in privacy and IT law. DPIA looks on the personal data and the consequences of their processing from the aspect of the owner. Choosing a scenario for the analysis should therefore always consider the consequences of a particular scenario on the respondent or the owner of personal data. In the scenario, you will observe the two main factors:

  • Impact on respondents
  • Probability of scenario realization

The DPIA result will not be a size that indicates impact, as could be inferred from the name. It will be the value that indicates the risk, as a factor of influence and probability. This opens opportunities for risk reduction in accordance with the risk management methodology we have long ago adopted ;). Measures should be considered to reduce the impact and probability to an acceptable level. More information on risk management can be found in ISO 31000.

DPIA is not a one-time activity. It is a process of continuous risk management related to personal information. More information, as well as a link to official DPIA implementation guidelines, is available here.

Communication of DPIA with DPA (Data Protection Authority - AZOP in Croatia)

If DPIA points to a high risk of individuals' rights and freedoms, you must first ensure that appropriate measures are implemented to reduce this risk to an acceptable level. What is an acceptable level of risk will depend on your internal decision. It should be based on ethical principles, and where they are not high enough, on the fear of DPA.

If you cannot reduce the risk to an acceptable level, you will need to consult with DPA. There are also exceptions to this rule that we will not deal with here.

The DPIA report will have to include the following major chapters:

  • a detailed description of the processing including the nature, scope, context, processing purpose, technical data, information on systems and management of processing systems,
  • information on the assessment of the legality of processing, ethics and fulfillment of the rights of respondents,
  • Information on the risks related to individuals' rights and freedoms and the ways in which the risks are mitigated and
  • information on the involvement of all interested parties in the evaluation process.

Annex 2 to guidelines provides more detailed information on the content of each of the above-mentioned chapters.

When DPIA becomes an integrated part of the risk management system, you have created the prerequisites for privacy by design. This will be the subject of the following lesson.