What is a GDPR DPIA and Do You Need One? 

In February 2022, the Greek Data Protection Agency penalized a major telecommunications company for, among other things, an unsatisfactory data protection impact assessment (DPIA). If they had completed a proper assessment, they could have avoided all of the violations they had committed and avoided the hefty GDPR penalty. 

The Danish Data Protection Agency fined the Elsinore Municipality for failing to conduct a DPIA. They used Google Workspace but never assessed the risks that came with it. 

You've probably heard of data protection assessments if you have to comply with the GDPR or another data protection rule. And you may be wondering if your business needs one. This article will provide you with information on: 

• What is a DPIA under the GDPR? 
• Is a DPIA required? 
• What if a DPIA isn't required? 
• Conducting a DPIA 
• What should your DPIA include?
• What should you do with the DPIA results? 

After knowing all of this, you'll probably want to conduct a DPIA for your business because it's a useful tool for anyone who handles personal information.

What is DPIA under the GDPR?

The Data Protection Impact Assessment is a process by which the data controller assesses the risks associated with the processing of personal data. 

The goal of GDPR is to protect people's personal data. It seeks to compel businesses to adopt a proactive approach to data protection; hence, some of them are required to assess all risks prior to initiating data processing. For this reason, some businesses must undertake a DPIA.

Is a DPIA required for your business?

DPIA is necessary for some businesses. For others, it is a good practice that could reduce your risks related to data processing.

Article 35 of GDPR requires you to conduct a DPIA in the following situations: 

• Profiling and automated decision-making based on personal data, such as profiling to determine the credit rating of a person,
• Processing of sensitive personal data, such as health data processed by a fitness app, financial data processed by a personal finance app,
• Processing of personal data related to criminal convictions or offenses, such as HR software processing criminal records data, or
• Systematic monitoring of public areas, such as CCTV monitoring.

These are the situations where DPIA is obligatory. Every EU Data Protection Agency must publish a list of the specified processing activities that require a DPIA. Here’s an example of the Irish blacklist of processing activities that require a DPIA.

What if a DPIA isn't required for your business?

If a DPIA is not required for your business, you will not be penalized if you do not conduct one. However, any business that processes personal data is strongly advised to undertake a DPIA. 

It provides you with a comprehensive overview of your processing activities as well as the gaps you should focus on more closely. You may experience data breaches, fail to comply with data transfer laws, or unintentionally violate your users' rights by employing the services of non-compliant processors, regardless of how much data or what kinds of data you process. 

You are at risk no matter what you do with data, and a DPIA could help you limit and mitigate those risks. Again, although not obligatory, it is a good practice for every business.

Conducting a DPIA 

A DPIA can be carried out in several ways. You are free to conduct it in any way you see fit, as long as it achieves its purpose of assessing your risks and informing your data processing decisions. 

If you are unsure where to begin, you can use the templates provided by various data protection agencies. Use them as guidelines or strictly as is - no commitments are imposed. 

Your primary concern should be the proper assessment of risks, not the method.

To give you an idea of what the process can entail, below are a few steps for conducting a DPIA that could be helpful: 

• Assess the necessity for a DPIA. Find out if it is required or not. If you have to do one, you have no choice but to start right away. If you're not required to have one, why not do one to make sure your data processing risks are as low as possible? 
• Describe the data processing.
• Assess the necessity and proportionality of processing.
• Identify risks and compliance gaps.
• Identify measures to mitigate the risks and remove compliance gaps.
• Integrate insights into the plan.
• Review your DPIA.

Where Can I Get a DPIA Template?

Remember that no one-size-fits-all DPIA template exists for all businesses, but you can use them as guidelines. Check out the templates from the United Kingdom ICO and the CNIL of France for ideas.

What should your DPIA include?

GDPR specifies the bare minimum that every DPIA must include, which is:

• Description of processing operations. This may include what categories of personal data you process, how you collect it, what third-party tools you use, where the data is transferred, etc.
• Details on processing purposes. You must explain why you are processing the data and why it is necessary.
• An assessment of whether the processing is necessary and proportional to the purposes. You must consider alternatives to data processing in order to achieve your objectives. You should also consider how much data you'll need to collect.
• Assessment of the risks to data subject rights. Processing sensitive data or other processing activities requiring a DPIA always puts your users at risk. Before proceeding to the next section, you must first identify the risks and then implement security measures to mitigate those risks.
• The security measures for reducing the risks. Here you need to determine how you’ll handle each risk. If you have appropriate measures in place, document them and put them into action. If you are unable to determine such measures, seek advice from a data protection agency on how to proceed.

Remember that you can tailor the DPIA content to your company's specific needs. This is the absolute minimum it should contain, but feel free to expand it as much as you see fit. Some businesses conduct complex processing operations that necessitate a more thorough assessment.

Some businesses have been fined for not having one in place, while others have been fined for having a poor one. It is best to avoid penalties by making sure your DPIA is comprehensive.

What should you do with the DPIA results? 

Once you have the results of your DPIA, you must put the risk-reduction measures into action. The DPIA's purpose is to inform you of your risk mitigation activities, so this is the next logical step.

If you are unsure of what measures to take to mitigate the risks, you should contact the data protection agency and consult with them. You can explain your situation to them, and they will tell you what solutions are available and how to put them into action.

However, it doesn’t stop there.

You must review your DPIA on a regular basis to ensure that it is up to date with all of your recent changes in processing activities, especially if you:

• Start processing new categories of personal data
• Change the processing purposes
• Involve new third parties as data processors
• Change how you collect data

You are free to update your DPIA in other cases as well - whenever you think it is fit.

Conducting or reviewing your DPIA before making any changes in processing activities is a good practice because it will quickly show you whether you are on the right track to compliance.

Final Thoughts

The key takeaway from this article is that you should conduct a DPIA. Even if it is not explicitly required of you, performing one is still a good practice. It will take some time, but it will only benefit your company.

Our free GDPR e-book provides a simplified step-by-step breakdown of the two laws to help you understand what you need to become compliant with the GDPR.

If you would like to have our data protection expert carry out a quick 'check-up' of your website, cookie consent banner, or your cookie policy, book a call today.