Consider this: a healthcare provider decides to develop a new feature that would allow the storage and sharing of patient data with other healthcare providers. While this would enable them to coordinate more effectively, the healthcare providers understand the tremendous risk involved, owing to the sensitive nature of the data.
They decide to carry out a Data Protection Impact Assessment (DPIA).
Sure enough, the DPIA identifies several potential risks, such as the possibility of unauthorized access to patient data, potential data breaches, and unauthorized modifications to the data, among others.
Consequently, the healthcare provider proactively mitigates these risks by implementing several security measures, such as data encryption and access governance. The healthcare provider also conducts staff training on best practices related to data protection.
The aforementioned anecdote illustrates just how important a DPIA can be for organizations aiming to deliver quality services to their users without compromising their sensitive data.
Article 35 of the General Data Protection Regulation (GDPR) necessitates subject organizations to conduct similar DPIAs.
Read on to learn more about all the important basics about Article 35 of the GDPR:
What is Article 35 of the GDPR
Article 35 of the GDPR, titled "Data Protection Impact Assessment," is a systematic procedure employed to identify and minimize the potential risks associated with data processing activities. DPIA is typically carried out at the initiation of a new project, and it plays an important role in implementing the principles of Privacy by Design and Privacy by Default as outlined in the EU General Data Protection Regulation (GDPR). Using the results of DPIA, the organization can both identify and mitigate the potential risks that may pose an immediate threat to the organization's ability to carry on with its processing activities in a compliant manner.
The GDPR was one of the first global privacy regulations that made DPIA a legal requirement for organizations involved in high-risk data processing. However, organizations not subject to it may choose to conduct a DPIA for some of its various other benefits, such as maintaining a positive reputation, demonstrable accountability, and public engagement.
It's important to note that DPIAs are not a one-off exercise. Organizations must adapt these assessments as a periodic exercise due to a combination of regulatory requirements and the nature of these assessments. Doing so allows for consistently satisfying regulatory requirements while also providing insights into an organization's data processing activities over an extended period.
When is a Data Protection Impact Assessment (DPIA) Required
According to the GDPR, organizations are obligated to conduct a DPIA under specific circumstances. This obligation arises when the processing of personal data, especially when utilizing new technologies and considering the nature, scope, context, and purposes of the processing, is anticipated to pose a high risk to the rights and freedoms of individuals. It also becomes necessary where for which no previous data protection impact assessment has been conducted or when the existing assessment was performed some time ago, necessitating a fresh evaluation. Moreover, a single assessment may address a set of similar processing operations that present similar high risks.
In this context, "high risk" can be categorized into the following distinct types:
Systematic and extensive evaluation of individuals
If processing involves a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significantly affect them.
When processing special categories of data (such as health data, racial or ethnic origin, religious beliefs, etc.) on a large scale or personal data relating to criminal convictions and offenses.
Large-scale monitoring of a publicly accessible area
Where the organization is engaged in large-scale, systematic monitoring of publicly accessible areas (e.g., through video surveillance).
Benefits of a DPIA
Some of the most important benefits of conducting a DPIA include the following:
Risk Identification
A DPIA, if done properly, can help identify, mitigate, and record all risks associated with an organization's data processing activities. Findings from the DPIA can be used to undertake preventative measures against potential data breaches and other forms of data privacy incidents.
GDPR Compliance
Conducting a DPIA is required for compliance with GDPR. As elaborated earlier, organizations involved in "high-risk" processing must conduct a DPIA in any case. A comprehensive and transparent DPIA is an effective way to display an organization's commitment to GDPR compliance.
Better Understanding of Data Processing Activities
Owing to the nature of how DPIAs are expected to be conducted, organizations stand to gain a better understanding of their entire data collection and processing infrastructure; critical information such as what types of data are being collected, how it is being collected, which parties have access to it, and the exact mechanisms in place to protect it.
Better Decision-Making
A thorough DPIA will give organizations a complete picture of their data processing activities. The insights from such assessments can be leveraged to make strategic decisions related to the products and services an organization offers.
Cultivating Trust
Conducting a DPIA can be particularly useful for organizations not legally obligated to conduct a DPIA as it can help demonstrate their commitment to undertaking every possible step necessary to ensure users' data is appropriately secured.
What to Include in a DPIA
GDPR Article 35 mandates the inclusion of the following elements in the assessment:
- A systematic description of processing operations and purposes of processing;
- An assessment of the necessity and scope of processing operations;
- A risk assessment of the rights and freedoms of data subjects as per 35(1) of GDPR; and
- The measures for addressing risks, including safeguards, security measures, and mechanisms to protect personal data.
Once an organization has appropriately identified any potential risks and undertaken the relevant remediation measures, it must ensure it records this activity. This document should ideally contain detailed information related to any identified risks and how they were dealt with to ensure enough context is available in case a similar problem arises.
Responsibilities of Data Controller/Data Processor During the DPIA Process
- If a DPO has been appointed, the data controller is required to seek their advice and input during the assessment. The collaboration with the DPO enhances the quality and effectiveness of the DPIA, ensuring that it aligns with both regulatory requirements and best practices.
- If the DPIA indicates that the processing would result in a high risk that is not sufficiently mitigated, the data controller is obligated to consult with the supervisory authority before proceeding with the processing.
- The relevant controllers and processors should ensure compliance with the approved codes of conduct provided in Article 40 of GDPR while performing the DPIA.
- The controller is required to periodically review data processing to ensure alignment with the initial DPIA, especially in the event of a change in the risk associated with processing operations.
- The controller should ask data subjects or their representatives for their opinions on the planned processing. This should be done without compromising the protection of commercial or public interests or the security of processing operations.
Exception
Organizations processing data under Article 6(1)(c) or (e) of the GDPR, based on European or Member State law, may not have to conduct a separate DPIA if the legislator has already performed a general impact assessment during the law-making process (as noted in Recital 93 of the GDPR). The legislator can choose to incorporate the DPIA into the legislative procedure, aiming to simplify the process for public institutions using these laws for their data processing. However, the legislator is not obligated to adopt this approach and may still require controllers to conduct their own DPIA, even if one was previously done during the legislative process.
How Securiti Can Help
Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.
With the Data Command Center, you'll have access to Privacy Impact Assessments Automation. This module has been specifically designed to automate all records of processing (RoPA) reports, privacy impact assessments, and data protection impact assessments an organization may need to produce owing to their global privacy obligations.
The same module can be leveraged to monitor the real-time progress of assessments through a unified privacy dashboard, choose multiple out-of-the-box templates for privacy assessments, enable a single repository for all your assessments, provide a single view for all ongoing assessments, and so much more.
Request a demo and learn more about how Securiti can help your organization conduct today's effective and efficient data privacy impact assessment.
