DPIA – the scary elephant in the data protection room
Data Protection Impact Assessment, or DPIA for short. Even the acronym can strike fear into the hearts of those struggling with data protection compliance. But those people are not alone – some experts would probably agree that it’s not their favourite thing to do either. Completing a DPIA can take a lot of thought, time and effort. But, try as you might, they cannot be avoided.
What is a DPIA for?
A lot of the angst can derive from a simple misunderstanding; a DPIA is a risk assessment but not primarily to the risks your organisation faces. It focuses on the risks to the people whose data you will be using. That said, there’s also a need to consider the risks your organisation could face, for example if a breach occurs. Such risks could include reputation damage, regulatory fines and even loss of business, but these can arise out of not getting the first part right. While organisational risk is reasonably well understood, it’s the privacy risks that often cause the most difficulty.
Don’t get too worried. The beginning of the process is simply working out whether you need a DPIA at all. This can be decided through a number of screening questions which are in the GDPR itself and have been added to by supervisory authorities and the Article 29 Working Party, an EU advisory body now replaced by the European Data Protection Board. The screening questions are relatively straightforward at first glance but do require some thought. For example, the GDPR asks: “Will the processing involve special categories of data… on a large scale?” Let’s say your plans include processing some health data – but is this large scale? Well, that depends. There is no official definition of ‘large scale’ but it can be understood by looking at what type of health data is in scope: either serious medical conditions or the last time you took a day off sick and why? Is it going to be a significant number of data subjects, such as in the millions? Or maybe not a large number but a relevant proportion such as over half of the town’s residents?
Let’s put this into context…
At this point, and before it gets too confusing, we’d like to introduce you to Sam, the man (or woman) in the street. They’re used in legal and statistical discussions to represent the person who sits at the top of the bell curve – average, ordinary, your everyday Joe (or Jill). Sam is the person whose personal data you’re thinking of processing. For every screening question, ask yourself “what would Sam think?”
Sam doesn’t have a problem with your use of the personal data you’re thinking about using but might get upset if you used it to decide whether they should pay a higher insurance premium. They’re happy for you to have that information as the reason for its use is understood and acceptable but would be horrified if a breach occurred and their friends and neighbours could read their information online.
If there’s something you think Sam would be worried about, then it’s probably time to look at the full DPIA. Identify the concern and what you can do to make Sam happy. It might be additional security controls to help prevent breaches, reducing the amount of sensitive data you need to use, restricting who can access it, or making it clear you’ll delete it the minute you no longer need it. Whatever will make Sam smile again is what you need to put into place. Don’t know a Sam? The DPIA process encourages you to consult with others including the data subjects themselves. There are plenty of Sams out there. Then there’s only one piece of the puzzle missing, your Data Protection Officer, or on-call expert, will be able to guide Sam in making informed decisions as they know the law and, more importantly, have experience in what can and does go wrong.
Don’t let the thought of a DPIA scare you, it’s about making sure everything is thought through and no decisions you make will cause sleepless nights for your data subjects. No scary elephants needed.