DPIA – Friend, not Foe.
GDPR sets out the Data Protection rules which apply to almost all organisations when handling personal data. Simply speaking, the rules outline how personal data must be processed, as well as how our various ‘data subject’ rights must be implemented. In 2018, GDPR was transposed into Irish Law with the 2018 Data Protection Act (DPA). The punitive penalties for non-compliance made us all pay attention.
A Data Protection Impact Assessment (DPIA) may be mandatory for new, and some existing, systems (see the Data Protection Commission guidelines). The Data Controller is responsible for the DPIA, so it is essential to be clear about your role on all aspects of a new system. Most of our systems have complex data architectures and information flows, so we need to carefully examine our relationship with the data. Are you the sole controller, are there any joint controllers or data processors involved? Various EU cases have revealed interesting outcomes when it comes to Controller vs Processor roles – see the EU Jehovah’s Witness case as a good example. We can’t assume that just because we don’t have access to data, we are not a controller.
While often seen as onerous, the DPIA can actually be a key ally to help ensure GDPR compliance. Let’s simplify what it is, who does it, and when and how is it done:
So, what is a DPIA? In simple terms, it is a comprehensive review of your planned processing to verify that it is lawful, and that you are not introducing unacceptably high risks to the individuals involved.
Who should do the DPIA? The project team for a new system is usually the best placed to do the DPIA. This is because they are the team with the best understanding of the system – from both technical and business perspectives.
When should it be done? A DPIA should be started as early as possible in the system development lifecycle. This will incorporate a ‘privacy by design’ mindset into the system. Even in an agile world of incremental builds and evolving requirements, an early DPIA will positively impact design and reduce later re-work.
How should a DPIA be conducted? A useful way to think of it is under the headings of 1) Data Protection: the proper collection, processing, disclosure, retention and disposal of personal data and 2) Data Security: protecting the data against unauthorised processing, loss, destruction or damage.
Let’s look at each one in turn.
1) Data Protection. Consider the 7 key GDPR principles in relation to your planned processing. Include all data received from or shared with other organisations. What is the lawful basis for the processing? How long will you retain the data? Are you minimising the data? And so on.
2) Data Security. Evaluate the potential risks and how you will mitigate them. With an endless list of potential risks, try using the C-I-A approach. Confidentiality – identify the possible routes to unauthorised access to, or sharing of, the personal data. Integrity – how might unwanted modifications be made to the data? Availability – could the data be removed or compromised, and therefore lost? For each risk, identify your relevant controls to mitigate them. You may spot gaps in your system design or in your policies which you can address now. If you are left with unacceptably high risks, despite your controls, you must consult with the DPC. In this case, it may be preferable to re-think your plans.
Doing a DPIA may feel daunting, especially for smaller organisations with limited experience or resources. Try to think of the DPIA as your friend in the context of GDPR compliance. Play out the subject rights as you think through all the possible scenarios of what could go wrong. The cyber security industry is in constant catch up mode, so it is impossible to think of every risk – “we don’t know what we don’t know”. Future data breaches and cyber hacks will reveal new sources of risk and we will respond with new controls to mitigate them. An on-going case with the HSE in Cork illustrates this point. Which of us has “do not user your mobile to take photos of personal data on your screen” in our Acceptable Usage Policy?
Make sure you keep records during your DPIA. In the event of an audit or breach, it will be the first thing you are asked for. Even the largest global organisations can fall foul of this, see the 2020 Facebook DPIA case where a dating service launch had to be halted ahead of a planned Valentine’s Day release.
Finally, your DPIA is a living document. You must keep it under review, especially with significant changes in your processing. Keep your focus on the controls you have in place for the DPIA. Remember that the DPIA is merely a statement of intent – it is not what you say will do, but what you actually do, that counts.
If your project requires a DPIA or you’re trying to figure out if you need a DPIA, get in touch and we’d be happy to talk!
This post was contributed by Sue Mateja, associate consultant with Clarion Consulting.