What is a Data Protection Impact Assessment (DPIA)?

What is a DPIA and when should one be done?

The General Data Protection Regulation requires the data controller to carry out a data protection impact assessment (DPIA) whenever the processing of personal data is likely to cause a high risk to the rights and freedoms of natural persons. DPIA must be drawn up before starting the processing of high-risk personal data.

Examples of processing measures likely to cause high risk are systematic monitoring of data subjects, reporting systems (regardless of whether it is a reporting channel according to the Act on the Protection of Informants or another) and processing of special personal data groups or otherwise large-scale processing of highly personal data. It is the reponsibility of the data controller to identify the likely high risks to the data subjects themselves and to carry out an impact assessment regarding data protection. A high risk can be identified, for example, from the General Data Protection Regulation’s example list, the Data Protection Commissioner’s list, or the Data Protection Working Group’s instructions.

Has your organization carried out impact assessments?

Let’s imagine a situation where the company you represent uses artificial intelligence to optimize the flow of customer deliveries based on employee location data.

Your colleague asks you if there are any privacy risks associated with your company’s artificial intelligence system.

What do you answer?

The Data Protection Commissioner has listed high-risk processing activities for which the controller must prepare a data protection impact assessment. Such situations include, for example, the processing of location data in connection with the innovative use of new technical and organizational solutions (artificial intelligence) and the processing of location data of vulnerable data subjects (employees). In addition, based on the guidelines of the Data Protection Working Group, risk factors from the systematic monitoring caused by location data, location data as very personal information, the weak position of the data subject as an employee, and the use of artificial intelligence as an innovative use of new technical or organizational solutions are being identified.

So you answer to your co-worker that we have identified the processing as risky and prepared data protection impact assessment. In this context, we have identified exactly what kind of processing of personal data is involved and found that the processing is proportionate to the purposes, so that the risky processing does not contain anything extra. Based on the identification of the processing, we have been able to assess the potential risks for the data subject in this particular situation, and have been able to implement protective measures that reduce those risks. Your colleague listens with interest and says impressed: “Great story!”

A participatory solution for impact assessment from Privaon

Privaon’s data protection experts help with your organization’s data protection impact assessments on a workshop basis. As a result of the evaluation, your organization will receive a systematic description of the processing operations that are the subject of the impact assessment, an assessment of the necessity and proportionality of the processing operations, an assessment of the risks to the rights and freedoms of the data subjects, as well as documentation of risk-reducing protective measures relevant to the obligation to provide proof.

Participatory workshop work promotes your organization’s compliant data protection. In addition, a well-prepared impact assessment brings cost savings and develops your organization’s privacy-friendly reputation. The impact assessment also develops customer trust and commits personnel to identifying and managing privacy risks.

Chek out the Data Protection Impact Assessment here.