Data Protection Impact Assessment (DPIA)
Roseman Labs is powered by the innovative technique of Secure Multi-Party Computation (MPC). MPC enables secure and collaborative analysis on confidential data, ensuring that sensitive information remains protected and undisclosed to any individual party involved. However, while MPC offers tremendous benefits in terms of privacy and data protection, it is crucial for organizations to establish robust compliance processes to ensure the lawful and responsible use of MPC.
The aim of this article is to address commonly asked questions about the DPIA-process.
What is a DPIA?
According to Article 35 of the GDPR, a DPIA is defined as follows:
"A data protection impact assessment is a systematic process designed to identify and assess the risks arising from the processing of personal data. The assessment should particularly address the necessity and proportionality of the processing operations, and identify measures to address those risks, in order to demonstrate compliance with the GDPR."
The objective of a DPIA is to ensure compliance with the GDPR and provisions from EU Member States to enact national legislation regarding certain elements of the GDPR with the aim to protect individuals' rights and freedoms with regard to their personal data.
How can I determine whether I need to initiate the DPIA process?
It's important to determine whether you need to perform a Data Protection Impact Assessment (DPIA). This evaluation should assess the specific circumstances of your data processing activities.
You must perform a DPIA if you are:
- Processing sensitive data: personal data, such as health information, biometric data, or data revealing racial or ethnic origin, a DPIA is often required due to the increased risks associated with this type of data.
- Performing large-scale processing: processing personal data on a large scale, such as a comprehensive customer database or a wide-reaching marketing campaign.
- Engaged into systematic monitoring: If you are engaged in systematic and ongoing monitoring of individuals, such as employee surveillance or tracking of individuals' online behavior.
- Using innovative technology: If you are utilizing new or innovative technologies, such as facial recognition, IoT devices, or big data analytics, a DPIA is often recommended to assess the potential privacy risks and implications associated with these technologies.
- Potential high risk to individuals' rights: Assess the potential risks to individuals' rights and freedoms arising from your data processing activities. Consider factors such as the nature of the data, the purpose of processing, the potential harm to individuals, and any mitigating measures in place.
Who should be involved in the DPIA process?
The DPIA process typically involves the collaboration of various stakeholders within an organization. The specific individuals or departments involved may vary depending on the size and structure of the organization, as well as the nature and scope of the data processing activities. Here are some key stakeholders who should be involved in the DPIA process:
- Data Protection Officer (DPO): The DPO can provide expertise on data protection regulations, facilitate the DPIA process, and ensure compliance with legal requirements.
- IT/Security Teams: The IT and security teams are crucial stakeholders in the DPIA process, as they possess technical expertise and can assess the security risks associated with data processing activities. They can evaluate the effectiveness of existing security measures and recommend additional safeguards to protect personal data.
- Project/Process Owners: The individuals responsible for the project or process that involves the data processing activities should actively participate in the DPIA process.
- Legal and Compliance Departments: Legal and compliance teams should be involved to ensure that the DPIA aligns with applicable data protection laws, regulations, and internal policies. They can provide guidance on legal requirements, assess the legality of the proposed processing activities, and ensure that the organization's privacy practices are compliant.
- Internal or External Auditors: In some cases, internal or external auditors may be involved to review the DPIA process and assess the effectiveness of the organization's privacy and compliance practices.
What are the key steps?
The main steps in the DPIA process are as follows:
- Identify the need for a DPIA: (check "How can I determine whether I need to initiate the DPIA process?")
- Scope the assessment: Clearly define the scope of the DPIA, including the specific data processing operations and systems to be assessed.
- Assess privacy risks: Identify and assess potential risks to individuals' privacy rights and freedoms arising from the data processing activities.
- Evaluate necessity and proportionality: Assess the necessity and proportionality of the processing, considering if there are less intrusive alternatives or ways to minimize the data collected.
- Identify and implement measures: Identify and implement appropriate measures to address the identified risks, such as technical and organizational safeguards.
- Consult relevant stakeholders: Seek input and consult with relevant stakeholders, including data protection officers, legal advisors, and individuals whose data is being processed.
- Document the DPIA: Document the entire DPIA process, including the information gathered, risks identified, measures implemented, and stakeholder consultations.
- Integrate findings into decision-making: Use the findings from the DPIA to inform decision-making processes, such as modifying the processing activities or implementing additional safeguards.
- Review and update: Periodically review and update the DPIA, especially when there are changes to the data processing activities or new risks emerge.
At a high-level, these are the key steps to take:
- Controller draws up the DPIA
- Controller submits this to its Data Privacy Officer for advice
- Senior Management of the controller approves the final DPIA, documenting any deviation from the DPO advice with reasoning.
See this excellent overview at GDPR.eu: https://gdpr.eu/data-protection-impact-assessment-template/
How can Roseman Labs help?
We have been involved in several DPIA processes specific to the application of Secure Multi-Party Computation. We can help you better understand the nature of the MPC-processing activities and the risks involved.
Where can I find templates?
Please find two excellent templates below:
1. For Dutch entities, consider the Model DPIA Rijksdienst from kcbr.nl: https://www.kcbr.nl/beleid-en-regelgeving-ontwikkelen/beleidskompas/achtergrond-beleidskompas/verplichte-kwaliteitseisen/data-protection-impact-assessment#Waar (or jump directly to Word doc)
2. DPIA Template [ENG] and detailed instructions on the process by the UK ICO: https://ico.org.uk/media/for-organisations/documents/2553993/dpia-template.docx
We are happy to share the templates that we use to support our clients where possible/relevant.