Conducting Data Protection Impact Assessments Under GDPR
by Jaap van Duijvenbode on April 20, 2018
Under the European Union's General Data Protection Rule (GDPR), which will come into force in May 2018, businesses handling the personal data of EU consumers have to assess the potential privacy impact of all new data processing activities. Data protection impact assessments (DPIA) are required when you're rolling out new technologies that involve the following data processing activities:
- When you're collecting data and using analytics to evaluate the personal aspects of natural persons, particularly when data is collected through automated processes, and when that analysis could produce significant legal effects for that person or significantly impact them in other ways
- When processing data based on data listed in Article 9, including racial or ethnic origin, political opinions, beliefs, trade union membership, sexual preferences or orientation, or uniquely identifying data like genetic or biometric information, as well as data related to criminal convictions and offenses as listed in Article 10
- When conducting large-scale, systemic monitoring or publicly accessible data
So what does this list mean in everyday language? If you're a healthcare organization, you need a DPIA for activities involving the processing of personal health data or genetic information. If you generate CRM profiles based on publicly available social media data, you need a DPIA documenting the scope and risk of your activity. If you're monitoring people without them necessarily knowing it, or you're creating a large database that could become publicly accessible, exposing people information not illegally but in ways that may significantly impact them, then you need to create DPIAs before launching any of those activities.
DPIA: When to Perform One and Who's Responsible for It
GDPR differentiates between entities that are data processors and data controllers. Data controllers determine the purposes for which data is processed and the manner in which the activity takes place. Processors conduct the processing on behalf of a controller. Controllers bear responsibility for conducting and documenting DPIAs when appropriate. If you're a controller, and you fail to conduct a DPIA when it's warranted, penalties could equal the greater of either 2 percent of your annual global turnover or €10 million.
Controllers are responsible for conducting DPIAs when they deploy a new technology or launch a new activity that could place people's rights and freedoms at risk. Some organizations may employ a data protection officer (DPO) who helps them make judgments around data management and its impacts. But remember this, and it's important: People's rights can be put at risk by a data processing activity even when its purpose is benign. Don't just think in terms of protecting data from breaches: think of the consequences to the individual if you use their data improperly.
Imagine that you've decided to use targeted social media advertising to recruit new job candidates. You analyze social media data to build a profile of your ideal ad recipient, and you use your analysis to purchase targeted job ads on a popular social network. The question in this situation is less about whom you chose as your ad viewer than it is about whom you excluded. If you targeted only ad viewers who were younger than age 40, you've used data to conduct an activity that discriminates based on age. Conducting a DPIA beforehand and thinking through all possible consequences could save your organization from exposure to regulatory penalty and civil liability.
The good news is that the DPIA process is somewhat open-ended, and you can personalize your DPIA process according to the data management needs and workflows of your organization. According to the Insurance Commissioner's Office (ICO), a DPIA should include the following steps, but you have flexibility in how you execute them:
- Identification of need for DPIA
- Overview of data flows
- Identification of risks to privacy and individual rights
- Development of solutions to address risks
- Documentation and signing off on DPIA
- Incorporation DPIA recommendations into the processing activity
- Consultation with both internal and external stakeholders as needed
The bad news is that too many organizations don't understand their own internal data flows well enough to conduct accurate assessments. A retailer, for example, may have a central social media account, but independent locations may have their own social network accounts, and those branches may be using data in ways that are not compliant with GDPR. When all customer data is stored in and accessed from one central data warehouse instead of being stored at branch offices or in third-party SaaS environments, you can feel more confident in your understanding of data flows within your organization, and you can put the right GDPR-compliant controls in place.
Better DPIAs With Talon FAST™
Good data management is the cornerstone of any good DPIA. Talon FAST™ centralizes your organization's data, enabling remote and branch offices to access it when needed while only locally caching active data. You gain better visibility over how data is used within your organization, which makes DPIA prep easy while reducing your GDPR noncompliance risk. You also get this better visibility fast, since Talon FAST™ is ready to deploy on Windows Server 2012 and above and integrates easily into any Microsoft ecosystem.
Learn more about the Talon FAST™ solution and how it can help with GDPR compliance today.