A brief overview of DPIA methodology
This article focuses on a new instrument which could be defined as half audit and half project management. In Article 35, the General Data Protection Regulation provides a specific analytical tool, similar to an already established instrument. To assessors, it is known as information and security risk management. Please note that this article will not review the GDPR impact assessment methodology in depth, phase per phase. Rather, it will give you an overview of all the phases of such assessment. Other articles in this series will explain the details for each phase.
The nature of a DPIA
If you have read the article on The role of the DPO, you may have noticed that the role of the DPO is quite horizontal, mixed with legal, evaluation, technical and communication skills. The DPIA is actually the embodiment of such a mix. Additionally, since the DPIA includes both data controllers and data processors in its procedure, we could also presume that the DPIA is the perfect tool to ensure the responsibility and accountability of a business.
There is a legal obligation to carry out an assessment if the processing is likely to result in a high risk to the data subject (Art.35 GDPR). Given the stakes in a business and the evolution of IT systems, a risk management approach enables an organisation to determine the needed controls. It makes it possible by studying the processing, prioritizing risks and treating them in a proportionate manner in order to optimize costs and make decisions. Lastly, a DPIA helps a business to demonstrate the implementation of privacy principles. Consequently, we can fairly admit that a DPIA is a compliance tool; and it is to be used before the implementation of the processing (ex ante analysis).
A brief overview of its methodology
A DPIA normally consists of several phases. Each of these phases analyses a specific feature of your data processing against series of controls and checks. If you ever wondered what a pilot and co-pilot do before taking off, they actually run a checklist of their instruments against a regulated and reviewed series of controls. A DPIA is similar to this, but it does have some flexibility, unlike an airplane check list.
A DPIA is adaptable to the depth of assessment you wish to conduct, meaning that there is no time frame indicated for each element of assessment. In other words, if your assessment team wishes to spend time elaborating on controls or to search and study threats to the processing, you should let them do it, as remedies will be the expected outcome of this analysis. In terms of methodology, Article 35.7 of the Regulation provides the minimum elements to be assessed, which are described below in 5 phases:
- Phase 1 is basically a detailed listing of the data processing, including: the data it uses, its controllers and processors’ details, its legal basis or the retention periods applied to the data. It possesses similarities with the old notification format, a requirement from Directive 95/46 EC, which will disappear after 25 May 2018.
- Phase 2 identifies the legal and risk treatment controls which are currently implemented. This phase involves the current and existing set of measures from a legal, technical, physical and organisational point of view. The objective is to control any risks that may be identified prior to the implementation of the data processing. If, for instance, your business has not reviewed its policy related to the access of its premises (e.g.: badge issuance, access logs, etc.), you probably need to do it first before enlarging such policy to a newly built/acquired area of your premises or a new system.
- Phase 3 lists the risk sources to the data processing. It raises the following question: “will my business suffer from this new data processing, and if so where and when will it suffer?” This phase focuses on possible privacy intrusions (e.g. damage caused by inaccurate data or a security breach), and an assessment of corporate risks, damage to reputation, or financial costs. It asks for imagination, notably in order to browse a fair amount of risk sources against your business. If you lead a banking firm, one of your risk sources is that your database could be hacked and fraudulently accessed. It is a security risk in itself, but it also carries a financial risk to your stocks while posing a risk to your reputation in the eyes of your clients.
- Phase 4 is about analyzing and listing potential negative events and threats to the data processing. Its distinction from Phase 3 is that it will focus on data subjects’ personal data, and potential impacts of the new processing on that data. Should the events be internal or external, human or non-human (technical), this phase is relevant with regard to technological developments. New technologies may lack a clear introduction of privacy-friendly safeguards and thus expose data subjects to threats such as hacking, phishing, and spamming. Its purpose is to determine which type of threats your processing may be exposed to. Let’s assume that you are the director of a large hospital. Your patients’ health records are very sensitive. A human threat would be that those records are accessed by the wrong staff members for the wrong reason, and a non-human threat would be that the operating system used by your hospital is the one that has been operating for 10 years without updates. Under the first instance, you may fear an unauthorized and fraudulent access, while under the second instance, you may fear a cyber-attack on your operating system. Ultimately, the medical secrecy of your patients will be threatened if you do not remedy the threat.
- Lastly, Phase 5 is in the format of a report and summarizes the analysis, the current controls, the risks to your business and the threats to personal data. The report sets out the organisation’s options for addressing each identified risk, threat and flaw. It states whether each option would result in the risk being eliminated, reduced or accepted as it is. The report will be recorded, kept and presented to the main managers of your organisation. Those managers can thus decide whether actions were taken, or need to be taken, and follow up on such actions. We may note here that such reports contribute to your compliance to the GDPR principle of accountability.
Added value of a DPIA
A DPIA represents added value to your business. It might appear to be a very lengthy and time-consuming exercise. However, while a DPIA ‘green-lights’ your compliance to specific data processing, it will also procure a pre-analysis of your processing by internal staff involved in the DPIA while showing good faith to the national authorities and customers.
Such assessment provides a powerful opportunity to review documents, prepare the implementation of your project, build or adapt your policies, upgrade technical aspects, and to reinforce your controls. In short, the DPIA incites your staff to exchange and raise awareness about personal data protection within your company.
Demonstrating your compliance to your data protection authorities is what you need to keep in mind. This authority will know about your assessments, since you must keep a record of them. In the event of an audit within the premises, you will be able to show good faith by producing those records. In addition, regarding of your customers, you will reassure the data subjects that you will safeguard their data and your reputation.
To help you decrease the risks, and overcome the most common mistakes with handling data, try this online Security Awareness Training.