[BreachExchange] So, What is a Data Privacy Impact Assessment and Why Should Organizations Care?

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 13 18:58:39 EST 2018


If you’ve read anything about the upcoming General Data Protection
Regulation (GDPR), you’ll probably have seen the phrase Data Privacy Impact
Assessment (DPIA) used. It’s similar to the current Privacy Impact
Assessment (PIA) already in place in countries like the UK and a DPIA is
expected to address four areas:

- A description of the envisaged processing operations and the purposes of
the processing
- An assessment of the necessity and proportionality of the processing
- An assessment of the risks to the rights and freedoms of the data
subjects concerned
- The measures which will be put in place to address those risks and
demonstrate compliance

There are, however, some key differences to existing regulations. Firstly,
while PIAs are optional, DPIAs are not. They’re being introduced to help
organizations comply with GDPR – and demonstrate that compliance. A failure
to conduct a DPIA when one is deemed appropriate, doing it incorrectly, or
even failing to consult the regulatory authority when required can lead to
a fine of up to 2% of an organization’s turnover, or €10 million.

Secondly, this isn’t a typical risk assessment exercise where the focus is
on the organization. Instead, it should be conducted from the point of view
of the individuals, or data subjects, involved to manage the risks to their
rights and freedoms.

And finally, the GDPR specifically points out that a DPIA is the
responsibility of the ‘controller’. A controller is the company or
organization which determines the purposes and means of processing data. A
bank, for example. So even if the bank outsources the processing of data to
a specialist service provider, it is still liable for complying with the
GDPR and completing a DPIA where appropriate.

All of that said, let’s look at the introduction to Article 35 of the GDPR
which talks about when a DPIA is required:

“Where a type of processing in particular using new technologies, and
taking into account the nature, scope, context and purposes of the
processing, is likely to result in a high risk to the rights and freedoms
of natural persons, the controller shall, prior to the processing, carry
out an assessment of the impact of the envisaged processing operations on
the protection of personal data.”

Note the use of the phrase in the first line: in particular using new
technologies. There’s a certain ambiguity here because that could refer to
emerging technologies like Amazon’s digital assistant, Alexa, or it could
refer to technologies that an organization or company is introducing for
the first time, like fingerprint recognition.

Also, note the important phrase in the third line: prior to the processing.
In line with the ‘data protection by design and by default’ concept that
the GDPR introduces, a DPIA has to be in place before data is gathered or
processed. The Data Protection Working Party, the EU body which currently
provides advice and promotes the consistent application of data protection
regulations, also ‘strongly recommends’ carrying out a DPIA for processing
operations already underway.

That’s the important stuff out of the way. A DPIA isn’t optional for
certain kinds of processing, there’s a heavy penalty for not complying, and
it’s the responsibility of organizations or companies which use data, not
third parties who process it.

What Processing is Subject to a DPIA?

Article 35 of the GDPR talks in general about automated processing and
profiling, processing on a large scale, and systematic monitoring of public
areas, but doesn’t go into detail beyond this.

To provide some direction, the Data Protection Working Party has issued
some guidelines which include the kind of processing operations which are
likely to introduce a risk to data protection rights or freedoms:

1. Evaluation or scoring, including profiling
2. Automated decision-making
3. Systematic monitoring of individuals
4. The processing of sensitive data
5. The processing of data on a large scale
6. Matching or combining datasets
7. The processing of data concerning vulnerable data subjects
8. The innovative use or application of technological or organizational
9. When the processing in itself prevents data subjects from exercising a
right or using a service or a contract

The rule of thumb is that if the proposed processing meets one of the above
criteria, it may not require a DPIA, whereas if it meets two or more of the
criteria, it will require a DPIA.

A mailing list used to send a weekly digest to subscribers to an online
golf magazine, for example, won’t require a DPIA, even if it’s a large
list. If that same list is combined or cross-referenced with other lists to
create an enhanced list where offers can be targeted based on income or zip
code, then it will require a DPIA.

The default position here is that if you’re unsure whether a DPIA is
necessary, do one. The upside is that it will help you understand exactly
what data is being processed and why, what the risks are, and how those
risks are being addressed. There is no downside.

What is the Content of a DPIA?

Rather than defining the precise format of a DPIA, the GDPR leaves it open
so that organizations can create one that complements their existing
working practices, and matches frameworks already in place, instead of
forcing them to change.

In the UK, for example, the Information Commissioner’s Office already has a
code of practice for conducting privacy impact assessments. Similarly, the
European Union’s Smart Grid Task Force has produced a data protection
impact assessment template for smart grid and smart metering systems, which
is a valuable sector-specific resource.

Whichever approach is taken, the GDPR does stress that the minimal content
of a DPIA should cover the four key areas mentioned earlier.

Finally, once a DPIA has been completed, that’s not the end of the story.
The final sentence of Article 35 specifically says:

“Where necessary, the controller shall carry out a review to assess if
processing is performed in accordance with the data protection impact
assessment at least when there is a change of the risk represented by
processing operations.”

So ongoing monitoring is also part of the requirements for compliance, and
the risk to the rights and freedoms of data subjects need to be evaluated
and reviewed regularly.

The most valuable resource I’ve found regarding DPIAs are the guidelines I
mentioned earlier from the Data Protection Working Party. Of particular
value are the appendices which include examples of existing EU frameworks
and the criteria for an acceptable DPIA in the form of a check list.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180213/137da4c3/attachment.html>

More information about the BreachExchange mailing list