DPIA

Data Protection Impact Assessments (DPIA) | GDPR Consulting & Advisory Services

GDPR Data Protection Impact Assessments

Centris offers industry leading Data Protection Impact Assessments (DPIA) as required by the GDPR and other growing data privacy laws and regulations throughout the globe.

The General Data Protection Regulation (GDPR), under Article 35, requires, under certain circumstances, that a Data Protection Impact Assessment (DPIA) be performed by controllers if certain conditions exist. Specifically, “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons…”.

Proven 7 Step Methodology for an Efficient and Comprehensive DPIA Report

In line with industry best practices regarding the GDPR, Centris follows the well-known seven (7) step DPIA process for ensuring complete coverage of all required subject matter from beginning to end:

Step 1: Pre-Assessment Determination
Step 2: Description of “Processing” of Data
Step 3: Consultation with Individuals
Step 4: Assessing Necessity and Proportionality
Step 5: Risk Identification and Assessment
Step 6: Risk Reduction and Mitigation
Step 7: Issuance of DPIA Report

Step 1: Pre-Assessment Determination

An organization is to first determine if a DPIA is even necessary, based primarily on the requirements put forth in the GDPR. As such, our first step is to do a pre-assessment determination in examining the following GDPR subject matter to make a final decision if in fact a DPIA is ultimately necessary:

Systematic Description of the Envisaged Processing Operations.
Existing Technologies.
New Technologies.
Nature, Scope, Context, and Purpose of Processing.
Systematic and Extensive Evaluation of Personal Aspects based Automated Processing (Profiling and Similar Activities).
Systematic Monitoring of a Publicly Accessible Area.
Large Scale Processing of Special Categories of Data.
Determination of High Risk (Yes, No, Pending).

dv id="Step 2: Description of “Processing” of Data" cl">&n"sp;

Step 2: Description of “Processing” of Data

If a DPIA is needed, then it’s on to understanding the many measures regarding “processing” - specifically, the “nature, scope, context and purposes of the processing”. This in turn requires conducting the following measures:

Assessing, defining, and documenting the description, purpose, interests pursued by the controller, use and interface specifics, data flow processing operations, and other related subject matter.
Assessing, defining, and documenting the network architecture, software platform, servers, applications, size and scale of the environment, network security, and other related subject matter.
Assessing, defining, and documenting functional roles of the envisaged processing operations and system, and other related subject matter.
Assessing, defining, and documenting data types and formats, and other related subject matter.
Assessing, defining, and documenting data retention, destruction/disposal initiatives, and other related subject matter.

Step 3: Consultation with Individuals

Per ico.org.uk, “If the DPIA covers the processing of personal data of existing contacts (for example, existing customers or employees), you should design a consultation process to seek the views of those particular individuals, or their representatives.” Additionally, per ico.org.uk, … “If the DPIA covers a plan to collect the personal data of individuals you have not yet identified, you may need to carry out a more general public consultation process, or targeted research.”

CENTRIS

Leaders in Security & Regulatory Compliance

Risk Strategies & Methodologies

Risk management planning reduces exposure to a wide-range of issues that could have detrimental effects on a business. Not knowing, planning, or responding to risks and related issues can leave an organization with few options in combating risks when they actually surface.

CENTRIS Advisory Methods

Strategic Planning & Integration

Every organization is moving towards a digitized business model, so isn’t it time to strategize on some of the most critically important elements for your business?

Explore CENTRIS Strategies

Regulatory Compliance Experts

Build scalable, adaptable, and efficient compliance solutions for increased organizational efficiency, while also improving core InfoSec, cybersecurity, operational and data privacy controls and best practices.

Regulatory Compliance For All Industries

GDPR Legal Requirements Demand that a DPIA be Performed

In accordance with Article 35(3), a data protection impact assessment is to be required in the case of:

Systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offenses referred to in Article 10; or
A systematic monitoring of a publicly accessible area on a large scale.

Step 4: Assessing Necessity and Proportionality

Per Article 29 of the GDPR, organizations are to include how you ensure data protection compliance, which is a good measure of necessity and proportionality. In particular, you should include relevant details of:

your lawful basis for the processing;
how you will prevent function creep;
how you intend to ensure data quality;
how you intend to ensure data minimization;
how you intend to provide privacy information to individuals;
how you implement and support individuals' rights;
measures to ensure your processors comply; and
safeguards for international transfers.

Step 5: Risk Identification and Assessment

It’s also critical when performing a DPIA to conduct an assessment of risks relevant to the organization’s processing activities. Specifically, organizations should assess, define, and document all relevant risks that could impact the organization’s processing activities. Risk considerations should include, but are not limited to, the following:

inability to exercise rights (including but not limited to privacy rights);
inability to access services or opportunities;
loss of control over the use of personal data;
discrimination;
identity theft or fraud;
financial loss;
reputational damage;
physical harm;
loss of confidentiality;
re-identification of pseudonymised data; or
any other significant economic or social disadvantage

Step 6: Risk Reduction and Mitigation

All organizations will have identified relevant risks that will need to be mitigated to the fullest extent possible. With a properly performed risk assessment, organizations can then assess which options to best reduce risk. Every organization is different, and as such, measures to reduce risks will be different also. Yet with that said, there are common areas that all organizations should consider in terms of risk reduction, and Centris can help identify such measures.

Step 7: Issuance of DPIA Report

The conclusion of a DPIA is a final, formal report documenting the following:

Additional measures you plan to undertake.
whether each risk has been eliminated, reduced, or accepted.
the overall level of ‘residual risk’ after taking additional measures.

Whatever the findings are, it’s important to then implement them into your existing control environment. With Centris, we offer a wide range of data privacy services, including assessments & programs, data governance, data mapping, PIA, DPIA, GDPR assessments, CCPA/CPRA assessments, international international privacy assessments, U.S. state privacy assessments, EU Cloud Code of Conduct, Microsoft SSPA/DPR, along with data privacy programs.