In today’s world, there is a high flux of data that gets exchanged on the Internet or stored on cloud servers. Such data collected by any organization in conducting their business usually also contains confidential or sensitive personal information pertaining to the Data Subjects.
A Data Subject is any individual whose personal data is being collected, stored, or processed by any organization. It is therefore essential to an organization, to manage and store data in such a manner that respects the privacy of the Data Subjects and other entities. The General Data Protection Regulation (GDPR) is one such regulation that addresses data protection and privacy in the European Union (EU). One of the many important facets of the GDPR is Data Protection Impact Assessment (DPIA), the parameters of which are stipulated in Article 35.
DPIA is a process wherein an assessment is conducted in order to understand the potential risks which are likely to arise in the processing of personal data. DPIA also includes proposing the way forward to mitigate such risks as much as possible. All companies – whether Micro, Small, and Medium Enterprises (MSMEs), or large-scale conglomerates are obligated to conduct a DPIA. Incorporating the process of DPIA into the organization is one of the key requirements as per the GDPR, which needs to be complied with.
It is pertinent to note that a DPIA must be performed prior to the initiation of the procedure of personal data processing includes the procedure of collection, storage, transfer, and usage of personal data. Therefore, essentially, DPIA must be performed before the collection of personal data.
This requirement is interlinked to the concept of data protection by design and by default under Article 25 of the GDPR. Despite being an obligation, it is not strictly mandatory to perform DPIA for all data processing.
“Article 35(1) of the GDPR states that the process must be carried out if the processing of data is “likely to result in a high risk to the rights and freedoms of natural persons”.
However, some amount of clarity as to what constitutes a ‘high risk‘ is given in Article 29 Working Party Guidelines, mentioning ten criteria, out of which even if one is satisfied, it would become mandatory for the organization to conduct a DPIA. Additionally, Article 35(3) of the GDPR sets three non-exhaustive examples wherein a DPIA must essentially be carried out. Moving forward, we will discuss the same in detail.
SCOPE AND PROCESS OF DPIA
Article 3 of the GDPR talks about its territorial scope and states that the GDPR would be applicable if the processing of personal data takes place concerning any activities of an organization in the EU, regardless of whether the processing takes place in the EU or not. Additionally, it applies to the processing of personal data of an EU Subject, not established in the EU, where the processing activities are related to:
(a) The offering of goods or services to such Data Subjects in the Union, irrespective of whether a payment by the Data Subject is required; or
(b) The monitoring of their behaviour as far as their behaviour takes place within the Union.
Therefore, the obligation of carrying out a DPIA would automatically entail in all such jurisdictions where the GDPR is applicable.
B. PROCESS OF CONDUCTING DPIA
- Assessment of the Necessity of DPIA– It is mandatory to carry out a DPIA in case of a high data risk project, but not otherwise. Criteria for the same are given under Article 29 Working Party Guidelines.
- Description of the Data Processing– Describing what personal data processing is to be done presently, as well as in the future, and the purpose behind such processing.
- Necessity and Proportionality of the Data Processing concerning the Purposes– The one who conducts a DPIA has to check whether such data processing is necessary and proportional, concerning the basic principles of GDPR.
- Risks to the Rights and Freedoms of Data Subjects– Article 35(7)(c) of the GDPR states that the DPIA shall contain at least an assessment of the risks to the rights and freedoms of Data Subjects in order to check whether the Data Controller, i.e. the person, company or body that stipulates the purpose and procedure of processing the data, is in adherence with the Data Subject’s rights. Identification as to the nature and severity of the risk is essential.
- Measures to Address the Risk– This step involves the remedies to the risks assessed in the previous step, to eliminate or mitigate the impact of such risks.
- Advice from the Data Protection Officer– Article 35(2) of the GDPR warrants the Data Controller to seek the advice of the Data Protection Officer (DPO), who is designated while carrying out DPIA. However, it is best to involve a DPO since the beginning of the assessment for better compliance.
- Consultation with the Data Subjects– Article 35(9) of the GDPR places an obligation on the Data Controllers to consider the views of their Data Subjects or their representatives, regarding the processing. However, this step remains optional to the Data Controller.
- Report– This step roots from Article 35(7)(d) of the GDPR, placing an obligation on the Data Controller to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of Data Subjects and other persons concerned. Every step of the DPIA has to be recorded along with the risks involved, the possibility of residual risk and whether such risks have been eliminated or not, and the reasons for the same.
- Review– A review of the data processing is necessitated under Article 35(11) of the GDPR, to check if it has been conducted as per DPIA. A change in the risk will warrant a fresh review.
CONDITIONS FOR CONDUCTING A DPIA
According to Article 35(1) of the United Kingdom General Data Protection Regulation (UK GDPR), there is a legal obligation upon the entities to perform “an assessment of the impact of the envisaged processing operations on the protection of personal data”. There are certain conditions laid down, which define the extent of obligation and type of organizations that are required to fulfil the provisions:
- Type of processing using new technology;
- Likely to result in a high risk to the rights and freedoms of individuals or entities
The risk in DPIA is associated with the potential capacity of the data to cause material or immaterial harm, including physical harm. The risk needs to be linked directly or indirectly to the processing of data. The usage of the term ‘high’ requires a greater degree of intensity, given the common threats that are posed by the global web. Moreover, the DPIA is carried out in order to assess the various situations where there is a likeliness to cause certain harm.
The European Commission has released the Guidelines on Data Protection Impact Assessment, in furtherance with Article 35(3) of the UK GDPR, to provide certain criteria to assess the level of risk.
Article 35(3) of the UK GDPR lays down the compulsory requirements upon three conditions for DPIA, which are as follows –
- Systematic and extensive profiling with significant effects: The process requires detailed scrutinization and profiling of Data Subjects, which may have significant legal impacts. For instance, monitoring of browsing history of the employees to prevent search and browse of unlawful content.
- Large scale use of sensitive data: There are certain Data Subjects (including but not limited to the categories mentioned in Article 9(1) or 10), which hold sensitive confidential information and can raise serious issues upon breach of such data.
- Public monitoring: The information that is available to the general public is highly susceptible to breach and unauthorized usage, hence, requires risk analysis for protection.
It is pertinent to note that the abovementioned obligation has been drafted to obtain a wider ambit, in an attempt to include the majority of the data processing entities. The conditions are laid out broadly and generically, for a similar purpose, to impose an obligation on a greater scale and protect as many Data Subjects as possible.
Inter alia, there are nine primary factors, which are laid out in the Article 29 Working Party of EU Data Protection Authorities, which generally act as indicators of high risk. The primary indicative factors are enlisted hereunder –
- Evaluation or Scoring
- Systematic monitoring
- Data processed on a large scale
- Matching or combining datasets
- Innovative use or application of new technological or organisational solutions
- Automated decision making with legal or another significant effect
- Preventing Data Subjects from exercising a legal right or using a contract or service
- Sensitive data
- Data concerning vulnerable subjects
The abovementioned factors are responsible for determining the extent of assessment and the type of risk that may be possessed by the Data Subjects.
USE AND FEASIBILITY OF DPIA IN SMALL COMPANIES
The GDPR is one of the most extensive and rigorous data protection laws, which aims at prioritizing the security of the Data Subjects. Several kinds of information are submitted by the users without the knowledge of its third-party usage and misappropriation. To oblige with such legal responsibilities, the companies, who collect data from their users and fall under the ambit of GDPR, need to incur heavy costs for conducting DPIA.
Large companies with more than 250 employees generally have a high turnover and profit ratio, which does not have a large impact on the financials of such companies. On the other hand, for small organizations, which collect data from the users, such as tech startups, online clothing stores, or small gaming companies, DPIA compliances and GDPR reporting poses a substantial issue for the management to create a balance between the legal obligation and solvency of the organization.
The cost of DPIA can vary from the size and risk assessment factors of the company. In a research study conducted by various research firms, the Financial Times Stock Exchange 100 (FTSE 100) firms reported a GDPR Compliance cost, ranging from 10 million Euros to 80 million Euros per year, depending upon the sector and compliance requirement.
A research study in Brussels conducted a cost requirement of 30,000 Euros (approximately Rs. 25 Lacs) for an average DPIA. These costs are recurring, based upon the standard of protection required for the organization.
If the companies choose not to comply with the GDPR and mandatory DPIA requirements, the Supervisory Authority has the power to impose a high range of penalties. Such hefty penalties have been levied to promote the entities to strictly follow the regulations and protect the interests of the users.
Another advantage of following with the compliances is the high cost of the data breach that is incurred due to the response to such action, which on average costs around 3.2 million Euros per breach.
With all these hefty fines and response costs, it is very difficult for small and medium organizations to pay off unwanted costs and invest in operating activities to sustain themselves in the industry. To assist the small and medium organizations, the ICO has provided a self-compliance guide, available for free on their website, to provide relevant information for regulations, assessments, formats, and other such resources, to save third-party delegation costs for conducting DPIA.
In a world where trillions of bytes of data are transferred daily from one part of the globe to another, DPIA has the potential of adding another layer of protection and thereby enhancing the level of preparedness and overall security of data in a high-risk prone technology web-space. However, DPIA is a fairly new concept and is yet to be adapted on a large scale by organizations. Moving forward, due compliances coupled with strict enforcement of the procedure of DPIA can aid to reduce data breaches and further safeguard the personal data of the Data Subjects.
The main challenge, however, will be for the companies to incorporate DPIA in their system and negate the fear associated with this practice that it might restrict their business practices, as well as consume their precious time and money. DPIA requirements may vary across companies, depending upon the type of work performed and usage, storage, and sharing of public data. Being one of the most advanced data protection laws in the world, the GDPR has established itself as a benchmark in the industry, which acts as a model for all other countries to follow.
In our upcoming blog, we shall discuss in detail the Legal Overview of DPIA.
– Team AMLEGALS, assisted by Ms. Akanksha Kashyap and Mr. Rohan Bangia (Interns)
For any queries or feedback, please feel free to connect with firstname.lastname@example.org or email@example.com