Does Your Firm Process PII or Sensitive Data? Learn About Data Protection Impact Assessment
Earning customers’ trust is paramount to business success. In today’s data and app-driven digital world, customer data is a currency for brands and businesses of all sizes. Most organizations process the personal data of individuals on a large scale for business and profit benefits. Recently, many leading tech companies’ data processing activities came under regulatory scrutiny and privacy investigations, exposing the risks associated with the rights and freedoms of individuals. Data protection impact assessment (DPIA) is integral to improving data management and governance and reducing risks related to the handling of Personally Identifiable Information, (PII) during data processing.
To tread confidently amid unprecedented chaos and the latest data privacy trends in 2024, we will unpack the as data protection impact assessment or DPIA workflows as a part of the European Union’s GDPR (General Data Protection Regulation) data privacy and accountability obligations.
Urgency for Data Privacy with Data Protection Impact Assessment
In 2023, the GDPR fines totaled €4.4 billion. The Irish Data Protection Commission audited a renowned tech company for their insufficient data protection measures during data transfers. The company was ordered to pay a fine of over €1.2 billion. This incident also opened the discussion of a new data-sharing pact between the EU and data privacy experts from the U.S. for companies engaged in trans-Atlantic data transfers. Many firms, including Apple, X, and Google, came under legal pressure to enforce more robust data protection and privacy practices. Collectively, 2023 stood on the cusp of massive transformation with the enactment of new data protection laws and growing advocacy of privacy by design approach.
Privacy has been the overarching theme for influencing businesses globally. Nearly 95% of companies deem privacy as a business necessity that should be embedded in the organizational culture.
A data privacy survey on how Americans view data privacy finds, most Americans believe that businesses and the governments regularly track their online and offline activities. And 81% believe the risks from personal data collection activities outweigh the purported benefits. The exact number of respondents (81%) from the 2022 Cisco survey on consumer privacy believe how a company uses and treats private data reflects its outlook towards customers. The survey also revealed that 79% need clarity on what companies do with their data.
Along with the growing frequency of data and cyber security threats and breach incidents, data privacy legislation has evolved at global and local levels to hold organizations and business entities accountable for their data practices. To help manage data privacy compliance obligations, the OpenPages Data Privacy Management (DPM) solution enables an end-to-end, real-time view of how sensitive data is used, accessed, and stored in the organization.
To help comply with the GDPR’s mandatory annual data protection impact assessment (DPIA), the OpenPages DPM solution includes workflows for privacy impact assessments (PIA) and DPIA. These workflows serve as a template for organizations and their privacy teams to build their data privacy management workflows and journeys to strengthen their privacy and security posture to fulfill governance, risks, and compliance (GRC) requirements. Let us first understand GDPR’s terms for DPIA.
What is a Data Protection Impact Assessment (DPIA)?
On 25th May 2018, the GDPR introduced the data protection impact assessment (DPIA) directive in Article 35. The DPIA is a process that describes the processing, assessing the necessity and proportionality, and managing risks to individual’s rights and freedoms from organizations’ data processing activities. The DPIA helps businesses or data controllers understand how their data processing systems and actions impact individual privacy. It helps them proactively take measures to mitigate risks of non-compliance. DPIA is also a way of building and demonstrating compliance with the GDPR’s privacy by design and default requirements. Privacy impact assessment (PIA) and DPIA are used interchangeably.
All organizations engaged in data processing activities that pose high risks to individuals’ privacy annually conduct DPIA. It applies to all entities involved in:
- Systematic and extensive evaluation of personal data of natural persons based on automatic processing, profiling, and other actions that have legal effects concerning or affecting the natural person.
- Large-scale processing of special data categories, as mentioned in Article 9(1), or personal data related to criminal offenses and convictions, stated in Article 1013.
- Systematic monitoring of publicly accessible areas on a large scale.
DPIA is not mandatory for all processing activities. It applies to those data processing operations with scope for risks to the rights and freedoms of natural persons. If an organization introduces new technology, conducting DPIA is necessary. Controllers must conduct continuous assessments of their processing activities to identify those with high risk and adhere to data protection laws.
Non-compliance with the DPIA requirements results in legal fines of up to €10 million or 2% of global annual turnover, whichever is higher. The DPIA requirements apply to all businesses within the EU and others that conduct businesses globally based on GDPR’s terms.
GDPR’s Data Protection Impact Assessment (DPIA)
There is ready-to-implement DPIA framework. However, GDPR offers a minimum standard or a template for organizations conducting DPIA. Organizations must build and design their own framework that suits their requirements. Below, we have outlined how organizations carry out DPIA and leverage it to guide them in their processing activities.
- DPIA Starts Before Processing: According to the mandate, DPIA must commence before processing activities as it is ‘practicable in the design’ of processing operations. Even if some of the processing operations or their scope are unknown, starting the DPIA early and updating it throughout the process is better to ensure data protection and privacy compliance. It will also enable the creation of solutions to improve compliance.
- DPIA is Iterative and Requires Continuous Assessment: DPIA is a dynamic process subject to ongoing change within the organizations. It is not a one-time event. Therefore, an organization must conduct continuous assessments and repeat the process to keep up with the changes in technical or organizational measures that may impact risks from processing activities.
- Stakeholders Involved in DPIA: The business or controller must conduct DPIA and remain solely accountable for the task. A controller can consult an appointed Data Protection Officer (DPO), Chief Information Security Officers (CISOs), and independent experts like lawyers, security and IT experts, and others for advice and decisions. The DPIA also documents all roles and responsibilities. The DPO is also responsible for monitoring the DPIA activities. The data processors processes data and is responsible for helping the controller with DPIA.
- Risk Components of DPIA: All GDPR requirements apply only to designing and conducting DPIA. The GDPR also offers detailed practical guidelines for implementing DPIA to scale according to the data controller’s processing requirements. The components outlined in DPIA include ‘managing risks’ to the rights and freedoms of individuals by:
- Establishing the content, scope, nature, and purpose of processing activities and the sources of risks.
- Assessing the probability and severity of high risks.
- Treatment of risks by mitigation measures, personal data protection, and demonstrating regulatory compliance.
- Data Controller Can Select DPIA Method: DPIA methodologies must comply with GDPR’s general data protection and privacy assessment criteria. The data controller can choose any methodology under the criteria identified in Annex 2 of the GDPR. The WP29 also allows for developing of the sector-specific DPIA framework to address processing operations unique to types of data, corporate assets, threats, potential impacts, and technologies used in the economic sector.
- Publishing DPIA is not Compulsory: Controllers have the ultimate authority to publish the DPIA. However, they must share a summary of DPIA findings to earn trust and prove their accountability. If the DPIA reveals a high residual risk, the controller must communicate it to the supervisory authority for advice with prior consultation.
Benefits of Conducting DPIA
Conducting DPIA is a great way to govern your organization’s stance on data privacy and risks. It benefits data privacy teams and the overall organizations to:
- Define and Classify Personal Data: Businesses can establish clear norms with DPIA by defining and identifying personal data, data processing and usage, data protection methods, and data rights.
- Build Awareness of Privacy Issues: Once your business has established a clear sense of personal data and its processing with DPIA methodology, it is easier to keep track of the data privacy and protection-related issues within the organization. Awareness of the current privacy strength helps predict potential risks and threats to data subjects to preempt them with relevant strategies.
- Embed Privacy into Culture: Having a sound privacy culture is possible in organizations with deeper cognizance of the workflows and activities as well as threats to data privacy and protection. Conducting DPIA helps foster privacy by design culture where all stakeholders, including employees, have a role towards data protection and privacy.
- Discover Opportunity for Compliance: Ensuring data privacy and governance is essential to stay compliant with the current regulatory requirements. Compliance represents opportunities to leverage customer relations by fostering transparency and a strong commitment towards data privacy.
- Proactive Risk Mitigation: Before commencing the DPIA process, organizations can build data privacy teams and entrust responsibilities to evaluate and measure DPIA projects. Since it is an ongoing process, DPIA helps recognize potential privacy risks from data breaches, data misuse, and unauthorized data access by securing better data storage, access, and privacy controls. Preventing mishaps beforehand helps avoid reputational damage and regulatory fines.
OpenPages Data Privacy Management for Data Protection Impact Assessment (DPIA)& PIA
To ease your DPIA and PIA requirements, the OpenPages DPM solution includes two workflow templates that are easy to tweak and modify for use. These sample templates are available in OpenPages solutions’ new installations. They can be further enhanced for learning to build custom workflows.
Privacy Impact Assessment
If you are already a user of the OpenPages DPM solution, you can add a new data asset or resource imported into the Knowledge Catalog. The Privacy Impact Assessment workflow commences immediately. The privacy officer or the business owner can start the first stage, called the Data Asset Review, to review the need for privacy assessments. In case they need more information, they can request it from the data steward (primary owner) by performing the actions below:
Select Actions > Request Additional Information.
The data asset owner must provide the necessary information and choose Actions > Submit for Data Asset Review.
If there is no need for privacy assessment, the officer can select Actions > Privacy Assessment Not Needed. This immediately sets the PIA Status field to Not Needed. The PIA workflow ends here.
If the privacy officer identifies a requirement for privacy assessment, they must choose Actions > Privacy Assessment Needed. This will immediately change the PIA Status field on the resource to Needed and build a Questionnaire Assessment for the data steward or the primary owner of the data resource.
The privacy officer can select a questionnaire template for assessment, and the data steward populates the questionnaire with relevant details. Once completed, the data steward can select Actions > Submit for Approval.
Finally, the privacy officer can review the privacy assessment to Approve PIA or Reject PIA. Once the assessment is rejected, it is returned to the data steward for remediation. If the assessment is approved, the PIA workflow ends there.
(Source: IBM OpenPages Protection Impact Assessment workflow)
Data Protection Impact Assessment
After completing the PIA on a data asset or if the PIA is not needed, the users can begin the DPIA. It can start automatically once the PIA is completed or if a PIA is not required, the Data Protection Impact Assessment workflow on the DPIA Status field on the resource changes to Needed status. It immediately creates a Questionnaire Assessment assigned to the privacy officer or the resource’s business owner.
During the initial DPIA stages, the data steward or primary owner of the data can choose to override or cancel the DPIA workflow. To check whether the DPIA workflow is needed, the data steward must choose Actions > Override – DPIA not needed.
If the data steward chooses not to override the DPIA, the data steward can complete the questionnaire assessment. Then they can choose Actions > DPIA Completed.
The DPIA Awaiting Approval stage is next in the line, where the privacy officer or the business owner reevaluates the DPIA questionnaire assessment. They also have the option to reject it by choosing Actions > Reject PIA. This helps resend the action to the data steward for remediation, or approval by picking Actions > Approve PIA. The DPIA workflow ends here.
(Source: IBM OpenPages Data Protection Impact Assessment workflow)
AT iTech GRC, our experts urge quick actions to move at the pace of global data privacy speed. Get to know our experienced GRC teams to build an invaluable certainty about the evolving privacy landscape and implement data privacy best practices using the OpenPages Data Privacy Management solution.
For more guidance on transforming data privacy risks with adequate data security assessments with OpenPages, connect with us now!