How to create a DPIA process and bring in your team

What & why of DPIAs for organisations

A Data Protection Impact Assessment (DPIA) is a process for building and demonstrating compliance with the GDPR or other data protection laws. DPIAs allow companies to systematically identify, analyse, and implement controls that mitigate the data protection risks that are carried by a project that involves the processing of personal data.

DPIAs have to be conducted for, generally speaking, processing activities that pose a high risk to the individuals. That being said, companies shouldn’t view this process as a blocker, but rather as a driver for a more efficient processing of personal data as part of data minimisation. A key stage of a DPIA is the assessment of the necessity and proportionality of the processing, which often forces companies to really consider whether the added value of the processing outweighs the costs.

Companies that go through DPIAs often come to certain conclusions about an activity being assessed that some of the processing is:

1. Not desirable for the business, so that processing shouldn’t be pursued in the first place;

2. Not needed to achieve the purpose, so that processing shouldn’t be pursued;

3. Excessive and inefficient, so more proportional alternatives should be pursued.

Assuming a processing activity successfully passes the necessity and proportionality stage, the DPIA now puts the spotlight onto the risks posed by this activity. The DPIA does not create risks, those are inherent to the processing activity - they exist regardless of whether or not they are identified. The DPIA simply helps a company start the conversation about the risks posed by a processing activity, how severe they are, and what should be done to mitigate them.

Why should companies proactively conduct DPIAs in order to mitigate risks? Because risks, even if unidentified, can harm a business and eventually have to be tackled at a later date, either due to regulators stepping in, investors/partners asking questions, or clients noticing the visible cracks in the companies’ privacy postures. Companies that end up in this position understand first hand why prevention is better and cheaper than the cure.

A global approach & global nuances

The DPIA is not only required under the GDPR, but also under other data protection laws in the US (Virginia, California, Colorado), Australia, Brazil, China and so on, where it might have a different name such as Privacy Impact Assessment (PIA), Personal Information Impact Assessment (PIIA), or Data Protection Assessment (DPA). Regardless of jurisdiction, each of these are at their core risk assessments; the difference between them lies within the threshold that has to be met in order to be required to conduct one, how they are structured, and what content they should include.

When faced with a high-risk processing activity that covers data subjects from multiple jurisdictions, a company will find it easier to follow the structure and content required by the GDPR when conducting a global DPIA. The European Data Protection Board adopted the Guidelines on Data Protection Impact Assessment published by its predecessor, the Article 29 Working Party. Annex 2 - Criteria for an acceptable DPIA includes a checklist of the content that should be included in a DPIA that is sufficiently comprehensive to comply with the requirements under the GDPR and any other data protection law. These guidelines (and a template that conforms with Annex 2) can be used to approach a DPIA of a global processing activity.

Bring in your team - ‘teach them how to fish’

A DPIA has four stages:

1. Description of the processing;

2. Assessment of the necessity and proportionality of the processing;

3. Identification and assessment of the risks to individuals; and

4. Identification of mitigating controls.

In the early days, the team (marketing, HR, etc.) that initiates the DPIA is likely to be involved in stage 1 and partially in stage 2. The privacy team will have to come in during stage 1 to extract additional relevant information from the team. During stage 2, the privacy team will ask additional questions that help them formulate the answers to the questions “Is this processing activity necessary?” and “Is this processing activity proportional?”. The privacy team will then own stages 3 and 4 and deliver the results to the team.

The end goal is for the team that initiates the DPIA to be involved in stages 1 and 2, and partially involved in stages 3 and 4. The privacy team would only have to be involved in stages 3 and 4 to validate and augment the risks and controls identified and assessed by the team. This arrangement is desirable because the team that owns the processing activity undergoing a DPIA is better informed about said activity compared to the privacy team, and could produce high-quality assessments while also offloading some of the work from the privacy team.

How do you get here? By devising a DPIA process that follows the ‘Educate. Empower. Optimise’ framework.

Tools, resources & our tips

Educate revolves around training on DPIAs, while Empower focuses on making it easy for employees to start and contribute to a DPIA. None of this is possible without tools such as Notion, Miro, and our Trace® app, and resources such as department-specific DPIA playbooks, quick “How to” DPIA one-pagers, and visual flows of each step in the process.

Notion and Miro can be used to convey all the necessary information in a byte-sized and visual manner. Our Trace® app can enable you to customise your own DPIA template within your Trace® document library and collaborate with your team.

Companies should identify what works for them, and continuously assess and refine DPIA training, tools, and resources (Optimise) that make up the Educate. Empower. Optimise. framework.

How Trace can help

Trace conducts global and pragmatic DPIAs both as-a-service and as part of the implementation of a privacy programme, where we also build the DPIA process through training and resource creation. Scaling companies might find it more suitable for Trace to act as their fractional DPO/CPO, a role that also involves Trace providing advice, training and guidance on DPIAs.

Don’t hesitate to get in touch and book a free call for an informal discussion of your needs and to hear more about how we’ve helped our clients identify, assess, and mitigate data protection risks.

This article was authored by Bogdan Barburas, CIPP/E | CIPT | CIPM I CIPP/US