Introduction
This article is in the Brain On Security Series, and the topic is Data Privacy Impact Assessment (DPIA)
I chose Data Privacy Impact Assessment (DPIA) as the first deep-dive article in the Brain On Security Series for three reasons.
- It's Wednesday afternoon, October 24, 2021, and I am panicking because I decided to publish an article weekly on Wednesday.
- I needed to carry out DPIA for an organization, and I had to do a deep dive for my understanding.
- I have purchased CDPSE from ISACA Website, and I have to book the exam date asap.
This article will help you prepare and conduct Data Protection Impact Assessments (DPIA).
What is Data Privacy Impact Assessment (DPIA)?
To understand DPIA, you must understand the General Data Protection Regulation (GDPR). To help you visualize, I have created the following mind map.
The GDPR has 11 Chapters, each subdivided into sections and articles. There are 99 Articles in the GDPR overall, spanning 11 chapters. The link to the original GDPR is here.
In GDPR, Chapter 4, Section 3, Article 35. defines DPIA as below:
Put simply, "DPIA is an assessment of the impact of the envisaged processing operations on the protection of personal data."
Why do we need to carry out DPIA?
The intention of carrying out DPIA is to ensure that the personal information collected is used only for the intended purpose. It identifies the impact(s) that any process or system change has on the organization that complies with its privacy policy and applicable privacy laws and regulations.
What is the Purpose of DPIA?
DPIA aims to validate the proposed change from a privacy perspective to ensure that the privacy process, product, or project has a well-designed privacy and security design and that the impact on privacy is neutral or positive.
What is PIA?
A PIA is a targeted risk assessment that identifies potential impacts on individual privacy and an organization's ability to protect information resulting from a proposed change to a business process or information system.
What'sorganisation'sWhat'sorganisation'sorganization's the difference between PIA and DPIA?
Short Answer: PIA existed before but wasn't very well known. In short, GDPR coined the term DPIA and made it widely known.
Long Answer: Until the General Data Protection Regulation (GDPR) coined the term DPIA. While PIAs are not new, they weren't well known either. GDPR raised the visibility and awareness of the Impact Analysis (IA) process in the context of Data Protection by making it applicable to all businesses that process personal data. GDPR took PIA, renamed it DPIA, and made it famous.
When should DPIA be done?
While a significant change triggers the DPIA, Organisations carry out DPIA whenever a new process, product, or project will collect, store, or transmit PII or when a significant modification to a process, product, or project may create a new privacy risk. Just because A DPIA will need to be updated once the project has started will not be considered a valid reason for postponing or not carrying out a DPIA.
What other benefits are there of carrying out DPIA?
Besides, you would avoid fines if you can demonstrate by providing evidence that you're conducting DPIA within the organization. There are more benefits, some of which are listed below:
- Conducting a DPIA will increase awareness regarding data protection risks.
- This awareness will help improve the design of your project, product, or process and enhance the communication among the stakeholders about data privacy risks.
- Demonstrating that your organization complies with the GDPR and avoids fines.
- Increase customer confidence and trust, given how mature Security and Privacy practices are.
- Bring unknown to knowns: DPIA is a risk assessment tool; you're essentially identifying your risk exposure to manage it well. If you haven't identified your risks, you've already accepted them.
- Understanding, awareness, and compliance with GDPR would increase your confidence in navigating your company toward success. By carrying out DPIA, you're helping your future self by preventing complacency and panic when there is a privacy/security incident that will happen.
Who should conduct DPIA?
Ideally, the organization should document the answer to this question in the roles and responsibilities section of its privacy framework.
If your organisation does not have an official privacy framework, you can speak to your DPO or whoever is playing the role of DPO in your organisation. You can also speak to your compliance team. Your compliance team or DPO should have a process defined for DPIA.
The team or individual responsible for the DPIA process provides the required information, ensures alignment with the DPIA and the leadership's findings, and gets the required management buy-in and resources for the mitigation measures.
Who should be involved?
If the product, project, or process cuts through multiple departments and teams within an organisation, the number of people involved will depend on the scope. You may need to speak to all of them, but you can narrow the scope at any time to reduce the number.
Step-by-Step DPIA Process Guide
The following shows the mind map on how you can carry out a DPIA for your organization:
Step 1: Identify the need for DPIA
Conduct an initial lightweight survey to determine whether you need a full DPIA. If so, proceed to Step 2 to plan your DPIA.
Step 2: Plan your DPIA
You need to define the nature, scope, and context for conducting the DPIA; you already have the notes since you conducted the screening. Use the notes to define the nature of DPIA.
Step 3: Alignment with the Stakeholders
You should consult with various stakeholders, including team members across your organisation from legal, compliance, product, engineering, security, and data teams and the views of the people whose data you intend to process.
Step 4: Carry out the DPIA
Understand the purpose of the data and the processing with respect to it—Utilise Data Flow and data Usage diagrams. Ensure you have a valid and lawful reason for processing the PII and balance the rights of the people whose data you intend to process. Using the template process (provided in the resources section below) includes identifying, assessing, and planning actions to mitigate individual privacy and data protection risks.
Step 5: Add your findings to the Risk Register
The organization needs to incorporate the considerations, conclusions, and actions arising from the DPIA report. Add the risks identified as part of DPIA activity in your organization's risk register for appropriate risk treatment and tracking until closure and monitoring on an ongoing basis. Track your actions identified and test their operation against the original purpose and data protection considerations once your processing is underway.
Closing Notes
One thing has been evident to me as I researched the topic of DPIA over the last week.
- DPIA or PIA is a process, not a stand-alone or one-off activity.
- DPIA should be part of your broader Privacy Program.
- The organization should support the privacy program via an enterprise risk management framework.
- The ERM supporting privacy program will ensure you have support from the Board of Directors and the Leadership.
Common Privacy Risks That are Identified in DPIA
Notification
- Lack of transparency when collecting personal data
Purpose Limitation
- They are processing personal data for purposes that data subjects are not informed about.
Retention Limitation
- Holding on to personal data when there is no longer a need.
Protection
- Lack of Security Testing
- Poor Information Security Practices
- Poor software development practices
- Poor Vendor Management
Accountability
- Lack of data protection policies and procedures.
Screening Questions
You may wish to create a checklist to decide whether to conduct a DPIA. The checklist should be as per your applicable regulatory requirements. For example, GDPR requires DPIAs to be conducted "When the activity is likely to result in a high risk to the rights and freedoms of the data subjects."
However, I am sharing a few questions that I can think of:
- If the new project, process, or product will collect new personal data.
- If the new project, process, or product uses personal data in a new way
- If the new project, process, or product will disclose personal data to new parties
- If the new project, process, or product will be making the automated decision
- If the new project, process, or product will involve processing large volumes of personal data.
Resources
- The Original GDPR is on the Official Journal of the European Union Website.
- Data Protection Impact Assessment
- This website summarises and segregates GDPR articles well here.
- Brush up your understanding of GDPR here.
- GDPR Compliance ChecklistICO'sChecklistICO's
- This template, published by the U.K. InformaCommissioner's Office, offers an example of recording the process and outcomes of a DPIA. Remember to check out the ICO's DPIA guidance. The criteria for an acceptable DPIA are set out in European guidelines on DPIAs.