Impact! A Roadmap to Data Protection Impact Assessment

A new framework of Data Protection Impact Assessment (the “DPIA”) has been introduced as part of the General Data Protection Regulation as of 25 May 2018.

The DPIA may be understood as a privacy-related impact assessment having the objectives of identification and analysis how data privacy might be affected by certain actions or activities which are either ongoing or envisaged within the business.

As sophisticated as it sounds, the DPIA procedure will typically involve a great deal of project management and coordinated collaboration of various departments.

In spite of an interim period of more than 2 years, there is still a significant number of businesses which have either completely failed to implement the DPIA processes or still have substantial deficiencies in the procedures.

First place, it needs to be determined if the DPIA applies to the company’s business at all. Given the complexity and amount of necessary resources required for implementation of the DPIA, lawmakers reasonably limited the scope of data controllers/processors subject to DPIA.

As a general rule, DPIA is required whenever processing of personal data may constitute a high risk to the rights and freedom of individuals. This applies in the following cases:

  1. systematic and extensive evaluation of the personal aspects of an individual which is based on automated processing, including profiling;
  2. processing of special categories of personal data (sensitive data) on large scale;
  3. systematic monitoring of public areas on large scale.

To properly implement the DPIA process, the corresponding project management will typically involve the following stages:

1.Applicability of DPIA

This step will determine whether the risks of the data processing operation require the business to undertake the DPIA. Even if the DPIA may not be mandatory for certain data processing, it may be undertaken on a voluntary basis in order to promote data security within the company. The voluntary DPIA may be also used to boost the reputation of a business.

2. Description of Data Flow

Systematic description of data flows within the company, including specification of the particular personal data, data subjects, purposes of processing, sources of data, data processing operations, data recipients, legitimate interests of the controller etc. It shall result in a detailed comprehensive catalogue of personal data and processing operations.

3. Necessity and Proportionality Test

Processing of the data collected in the above catalogue needs to be tested from the perspective of necessity and proportionality in relation to the respective purposes.

4. Identification and Evaluation of Privacy Risks

This stage results in a catalogue of potential risks regarding the data, vulnerability of data, classified according to their potential impact on the rights and freedom of data subjects. The evaluation phase is then based on a risk-decision assessment, i.e. whether the applicable risks are justifiable and may be accepted; and if yes, under which conditions.

5. Planning of Solution Measures

At this stage, appropriate measures need to be planned to prevent, reduce, limit or mitigate the above risks. Measures may include binding internal regulations, ICT security, physical protection, limited access, ongoing monitoring of privacy and data security, appropriate supervision, regular training of staff with follow up procedures, internal checks, compliance with approved codes of conduct etc.

6. Approval of DPIA

The DPIA report which deals with the above shall be approved by a competent body of the data controller/processor. If the DPIA identified high risks of processing, the Czech Personal Data Protection Office needs to be consulted prior to processing of data.

7. Integration of DPIA

Findings and measures under the DPIA shall be properly implemented into regular operation of the business, monitored and updated on a regular basis and prior to introduction of new processes within the company.

Depending on the size of the business, the nature of the processed data, and privacy security measures already in place, timing of the proper DPIA may range from a couple of days to several months of intensive engagement of multiple departments which will almost always include HR, IT and business departments. Obviously, DPIA should not be underestimated and required resources should be dedicated to the project, especially in the light of potentially high penalties for non-compliance.