Data Protection Impact Assessments: What Are They and Why The GDPR Insists On Them

First published November 2017

With the GDPR around the corner, companies throughout Europe have had to re-examine both their business structures and practices. With the new regulations relating to data protection, Data Protection Impact Assessments are set to become compulsory. But what are Data PIA’s? And how does a company go about completing them?

Data Protection Impact Assessments will be mandatory for any new high-risk processing projects a company takes on once the GDPR comes into force on May 25^th, 2018. As with all other areas of these new regulations, a considerable amount of preparation is needed if a company is to be fully compliant in time for the start date.

It is a serious undertaking, with companies who fail to meet their Data PIA obligations facing fines of as much as €10 million, or 2% of their annual global turnover for the preceding financial year (whichever is higher).

With such heavy consequences to face, the need to properly handle the new obligation is acute. So, what can your organisation do to make sure they satisfy expectations and comply with the terms stipulated in the GDPR?

What is a Data PIA?

Data protection and privacy are major concerns for the EU and a Data Protection Impact Assessment is part of their plan to ensure the highest level of data protection is achieved and maintained. One key issue is the need to protect data transferred to third-party countries or organisations outside the EU.

A Data PIA is essentially a risk assessment of the processes your organisation uses when dealing with personal data. If you process personal data that is likely to be high risk to the data subject’s rights, an assessment must be carried out before the process starts.

Through the Data PIA, an organisation will become more aware of the data protection risks connected with a particular project and, as a result, introduce the measures needed to better protect against data breaches.

The Data Controller will be responsible for carrying out assessments, specifically in relation to the impact it will have on the security of personal data. Some companies may decide to appoint a dedicated Data Protection Officer (DPO), but the Data Controller will still be accountable.

Just some of the risk individuals (whether employees or clients) are facing include:

• inappropriate disclosure of personal data within a company
• electronically-held data being hacked
• inappropriate disclosure of sensitive personal data
• personal data being used in a manner not anticipated, or for purposes not expected, due to an evolution in the nature of a particular project
• personal data being used for automated decision-making
• technology capable of making intrusive visual or audio recordings
• data transferred to countries with inadequate data protection regimes

Who Needs To Carry Out A Data PIA?

The assessment is not compulsory for every business. It only relates to:

• Any organisation that carries out “systematic and extensive evaluations of personal aspects relating to natural persons”. These systems would be based on automated processing (including profiling) and decisions from those systems that may have legal consequences. This can include banks and other financial institutions, especially those who process loan applications, but also marketing firms and data analytics providers.
• Any organisation that processes sensitive personal data, and any personal data relating to criminal convictions and offences. Some examples of this category of business are healthcare providers or insurance companies.
• Any organisation that carries out systematic monitoring of a publicly accessible areas, such as local authorities where there are CCTV systems in public areas, and independent operators in the leisure industry who use CCTV security systems (nightclubs, bars, shopping centres etc).

What Your Data Protection Impact Assessment Must Contain

A Data Protection Impact Assessment has a very clear purpose. As such, there are definite types of information that the assessment is expected to include. The GDPA details the minimum features that the assessment should contain. These include:

• Details of the processing method, including its purpose, such as what the personal data will be used for, and who will have access to it
• An assessment of the necessity and proportionality of the data processing
• An evaluation of the risk to personal subjects affected, like any possible financial loss, distress or the likelihood of any data disclosures and any associated inadequate controls
• Recommended measures to address these risks and to ensure GDPR compliance

6 Steps To Completing Your Data Protection Impact Assessment

1. Compile a complete list of all relevant stakeholders, entities and systems within your organisation.
2. Compile a complete list of data management processes – a process is any event that is required to complete a business function.
3. Carry out a workflow analysis and develop ‘swim lanes’, so you can see on a graph how data is flows in an out of company.
4. Begin the Data PIA for each of the processes identified and evaluate the potential risk for each.
5. Carry out a detailed Risk Analysis so as to measure the likelihood of any perceived risk and the severity of each.
6. Form an Implementation Plan, and set about acting on it.

For more reading on the subject of the GDPR and Data Protection Impact Assessments, you can read details provided by:

• The Data Protection Commissioner (Ireland) – Data PIAs
• The Information Commissioner’s Office (UK) – Data Protection Impact Assessments
• The EU GDPR official website

Looking for some help? For more than three decades, our data processing experts have been helping businesses overcome their toughest challenges with Business Process Services. Click here to find out more.