ePrivacy has recently published a first template for the preparation of a Data Protection Impact Assessment (DPIA), bringing light and structure to this topic:
What exactly is a DPIA?
A Data Protection Impact Assessment (DPIA) is a procedure to ensure and demonstrate compliance with the legal requirements of the GDPR. The DPIA is used to analyze particularly high-risk data processing operations. The relevant provisions of the GDPR provide the framework for the development and implementation of a DPIA. These include, in particular, Article 35 of the GDPRand Recitals 84, 90, 91, 92 and 93 of the GDPR.
Under what circumstances must a DPIA be performed?
Controllers must perform a DPIA if the previous risk analysis was positive. The risk analysis must assess whether the processing of personal data, particularly when using new technologies, is “likely to result in a high risk to the rights and freedoms of natural persons”.
When conducting the DPIA, the advice of the Data Protection Officer must be sought (if one has been appointed), Art. 35(2) GDPR. In addition, if the DPIA shows that the processing still poses high residual risks (despite measures), the data controller must consult the supervisory authority before processing, Art. 36 GDPR.
The responsible party may consider publication or perhaps a summary of the results.
When should a DPIA be carried out?
The preparation of a DPIA must be carried out at the earliest possible stage, even before the processing activities in question. Controllers must continuously assess the risks affecting their processing operations to identify them. Therefore, the DPIA is an ongoing process that also remains dynamic in the face of constant change.
What does the non-observance mean?
If a DPIA is not carried out, although necessary for the specific processing or is not carried out properly, or the competent supervisory authority – although required – is not consulted, severe fines may be imposed.
What is PIA in this context?
PIA (Privacy Impact Assessment) is an application (“opensource”) developed by the French Data Protection Authority (CNIL) to help data controllers to prepare and demonstrate compliance with the GDPR. It helps to conduct a privacy impact assessment by simplifying the use of the PIA methodology developed by CNIL. (Link for more information)
Due to the complexity and importance of a DPIA, we recommend having it finally assessed by legal experts familiar with data protection issues.
The colleagues of ePrivacy are happy to support you. Customers who have booked our ePrivacyaudit will find the template for creating a DPIA under chapter “Templates/Risk Assessment”.