[GDPR] Basics – What is a Data Privacy Impact Assessment (DPIA)

What is a Data Privacy Impact Assessment

A Data Privacy Impact Assessment (DPIA) is a planning and strategic document that allows you to review the risks of the entire process (or part of is several DPIAs covers the entire) data processing activity. The idea is to once the process and risks have been reviewed including suggestions for the mitigation of such risk for an organisation to decide if the processing activity should take place. A DPIA should take place at the beginning of any new data process where there is a high likelihood to infringe of the rights and freedoms of an individual (as defined by the GDPR) and it should be done while the process is still in the discovery phase and not already in operation – Of course, the best time to do an assessment for any existing process is yesterday. 

There’s no reason why you can’t perform a DPIA on any new or altered processing activity no matter the initial perceived risk, in-fact I openly recommend it is performed on a regular basis, It helps keeps the organisations’ mindset as ‘Privacy first’. It obviously also helps identify and protect the rights and freedoms of the data subjects you hold. A DPIA is also very important should you have a data breach and have to refer your organisation to the ICO one of the first things they may ask for is the DPIA for the processing activity where the breach took place and if you can’t provide one then it doesn’t evidence well.

Who writes/create the DPIA.

A DPIA should be created/written by the person that understands or pushing for the exact data processing activity that is being planned or discussed. It should be the relevant team lead or controller as they should have the highest level of knowledge over the data that’s needed for the activity, the process in which that data will be moved or processed as well as a good idea of the technical risks involved with handling the data. They should against each of the identified risks provide the controls in place that will mitigate risk, it’s important that even if a risk is mitigated if it is identified it should still be stated within the impact assessment. Once completed they should then ideally provide it to the Data Protection Officer or data protection lead within your organisation to review themselves and provide a summary or recommendation. There isn’t anything to say that your DPO or data protection lead can’t be assisting the process activity lead.

What does a DPIA look like?

The chances are that your DPIA will just be a simple text document spreadsheet that you’ve templated and allows for the easiest way of filling in, sharing and reviewing in your organisation. I’m a big fan of spreadsheets over documents for DPIA because it’s easier to display a list of risks and the controls as well as assign them a colour coding to allow you to quickly identify. While spreadsheets aren’t suited for it when templated correctly there’s a good space for you to describe your process in detail as well. 

I’ll be putting together and sharing a more generic spreadsheet DPIA template for you to download and use/edit to your requirements. In the meantime, the ICO provides a template for a more word document based style here

How long should I hold onto the DPIA and how often should I update/review it?

You need to hang onto the DPIA in a safe but accessible place for as long as you’re processing the data. The DPIA should continue to be accessible to the DPO, the team leader and any relevant team member who is likely to be working with the data. It’s possible that from the DPIA that you might write a training guide or more team-friendly document to ensure that they all understand the risks and controls in place to mitigate the risks with the particular processing activity.

Generally, if you do a DPIA and then no one knows about it, was it even worth doing in the first place.

You should then hold onto it for a set period of time in an archive which seems suitable for your organisation (e.g. 2 years). The idea behind the archive is it can sometimes take months or years for a data breach to become known and holding onto such evidence for use with the ICO is important. It’s also important to have archived documents to allow your team to review when they need to.