How to Conduct a DPIA: A Practical Guide – by Els Houtman<\/p>\n\n\n\n
Want to tackle a Data Protection Impact Assessment (DPIA)? Here\u2019s a clear approach to guide you through it \u2014 one step at a time.<\/p>\n\n\n\n
Start by asking: is this project likely to pose a substantial risk to people\u2019s privacy?<\/p>\n\n\n\n
A DPIA is typically needed if:<\/p>\n\n\n\n
\u00b7 You are using new or innovative technologies<\/p>\n\n\n\n
\u00b7 You are handling sensitive or large volumes of personal data<\/p>\n\n\n\n
\u00b7 Your processing could significantly affect individuals\u2019 rights (e.g. if profiling, monitoring is involved)<\/p>\n\n\n\n
Get a full picture of the data lifecycle:<\/p>\n\n\n\n
\u00b7 What data are you collecting?<\/p>\n\n\n\n
\u00b7 Where does it come from?<\/p>\n\n\n\n
\u00b7 Why is it needed?<\/p>\n\n\n\n
\u00b7 Who has access?<\/p>\n\n\n\n
\u00b7 How long will you keep it?<\/p>\n\n\n\n
Understanding the dataflow is key to identify risks later on.<\/p>\n\n\n\n
Ask the tough questions:<\/p>\n\n\n\n
\u00b7 Is all the data truly necessary to achieve your goal?\/Could you manage with less?<\/p>\n\n\n\n
\u00b7 Are there other ways to achieve the same purpose?<\/p>\n\n\n\n
\u00b7 Does the processing effectively help you meet your goal?<\/p>\n\n\n\n
The more focused and minimal the approach, the better.<\/p>\n\n\n\n
Check the envisaged processing against all GDPR\u2019s key principles: lawfulness\/fairness\/transparency, purpose limitation, data minimisation, storage limitation, accuracy, and security (integrity and confidentiality).<\/p>\n\n\n\n
Where appropriate, involve data subjects to get their input or flag any concerns. Even a simple form of consultation can go a long way in increasing transparency and spotting risks early. If you decide not to consult, make sure to record that decision and explain why.<\/p>\n\n\n\n
Think through possible scenarios \u2013 the \u201cwhat ifs\u201d:<\/p>\n\n\n\n
Could the data be lost, misused, or accessed by unauthorized parties?<\/p>\n\n\n\n
What impact would this have on the individuals involved?<\/p>\n\n\n\n
Anticipating and addressing risks helps avoid more serious issues down the line.<\/p>\n\n\n\n
Time to act. Depending on the risks identified consider:<\/p>\n\n\n\n
\u00b7 Limiting data collection<\/p>\n\n\n\n
\u00b7 Strengthening information security (encryption, access controls, etc.)<\/p>\n\n\n\n
\u00b7 Anonymising or pseudonymising data where possible<\/p>\n\n\n\n
\u00b7 Etc.<\/p>\n\n\n\n
The goal is to mitigate and eliminate risks, or to bring them down to an acceptable level.<\/p>\n\n\n\n
Make sure to document all your findings, decisions, and actions. This is your evidence that you\u2019ve considered privacy and addressed it properly.<\/p>\n\n\n\n
If you have a Data Protection Officer, document their advice.<\/p>\n\n\n\n
Decision not to go with their advice? Justify and document your reasons.<\/p>\n\n\n\n
And if considerable risks remain despite additional safeguards, consult the data protection authority before moving forward.<\/p>\n\n\n\n
One last thing: make sure your DPIA is accurate and truthful \u2013 don’t fool yourself. An inaccurate DPIA can lead to blind spots in your privacy approach \u2013 and consequences can be serious.<\/p>\n\n\n\n