2B Advice
TEL: +1 (858) 366-9750
FREE DOWNLOAD
2B Advice

Data Protection Impact Assessment

How To Conduct Data Protection Impact Assessments

There are a number of types of impact assessments that a data controller might undertake, depending on their governing data protection or data privacy laws, the types of activities they are processing, and the maturity of their privacy program. Here we will describe the requirements for a Data Protection Impact Assessment.

Learn More About Data Protection Impact Assessments

See how we can help your company with a Data Protection Impact Assessment today. 

Euro Prise Privacy Seal

CERTIFIED EXPERTS

EuroPriSe Certified & Accredited
Legal & Technical Experts

SINCE 2003

We are one of the providers with the longest experience in the market.

INTERNATIONAL TEAM

Our data protection expertise is transnational and we work internationally.

About DPIA

According to the General Data Protection Regulation (GDPR) Art.35, the processing of personal data which is likely to result in a high risk to the rights and freedoms of natural persons, shall, prior to the processing, undergo an assessment of the impact that such processing operations may have on the protection of personal data.

This assessment is known as a DPIA (Data Protection Impact Assessment), and it is solely the responsibility of the Controller that it is carried out. Situations where a DPIA should be conducted are those that employ new technologies, that process large quantities of data or/and special categories of data, involve monitoring and profiling, automated processing. In certain circumstances, the place of the processing makes a difference on whether the performance of the DPIA is mandatory or not in accordance with the black/whitelists published by the local data protection supervisory authority.

DPIA Objectives

The DPIA is performed exclusively on a single and specific processing activity that could result in high risk to the rights and freedoms of natural persons also called data subjects. The DPIA aims to identify and quantify potential high risks for the data subjects prior to the processing of the activity.

Since it is an element of the GDPR, whose main core value is the preservation of the rights and freedom of the data subjects, the data protection impact assessment does not take into consideration in any shape or form the risks that the organization may face.

DPIA Solutions

A DPIA should be carried out prior to processing or in the design phase of a new technology and on a regular basis (audit) thereafter.

  • Work with 2B Advice’s team of experts to analyze the circumstances specific to your situation
  • Benefit from an external point of view for the identification of risk
  • Work with 2B Advice’s team to adjust our methodology to your business
  • Develop and internal process for running DPIA in the future.

DPIA Benefits with 2B Advice

Understanding your areas of privacy risk is a complex journey and 2B Advice Privacy experts are here to help you.

Often it is helpful to start with a Privacy Impact Assessment to get an overall idea of your areas of risk; or if cross-border data transfer is a key requirement, you might begin understanding your areas of risk with a Data Transfer Impact Assessment. If digital transformation a key initiative, then you could start with a Cloud Migration Impact Assessment. Our risk assessments may be run as a single activity, in parallel, or in sequence as you progress on your privacy compliance journey.

Frequently Asked Questions About Data Protection Impact Assessments

The Data Protection Impact Assessment, or DPIA, is specified by Article 35 of the GDPR. The DPIA is performed exclusively on a single and specific processing activity that could result in high risk to the rights and freedoms of natural persons also called data subjects. The DPIA aims to identify and quantify potential high risks for the data subjects prior to the processing of the activity.

Since it is an element of the GDPR, whose main core value is the preservation of the rights and freedom of the data subjects, the data protection impact assessment does not take into consideration in any shape or form the risks that the organization may face.

It may be noted that depending on the language and region, you may here this type of assessment also called a Data Privacy Impact Assessment. Here will use the terms interchangeably.

The 2B Advice methodology follows the basic requirements set out in Article 35 GDPR and is enriched by recommendations of supervisory authorities and best practice. A DPIA always follows the following steps.

1. Systematic description of the processing activity (including responsibilities)

2. Risk assessment (including necessity and proportionality assessment)

3. Proposal of corrective measures to mitigate the occurrence of the risks / threats.

A data protection impact assessment is needed when the manual or automated collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data (aka “processing activity”) is likely to result in a high risk to the rights and freedoms of natural persons.

It should be carried out prior to processing or in the design phase of a new technology and on a regular basis (audit) thereafter.

The objective of a DPIA is not to eradicate all risk, but should help you minimize and determine whether the level of risk is acceptable in the circumstances, taking into account the benefits of what you want to achieve.

A DPIA is a process designed to help you systematically analyse, identify and minimise the data protection risks when processing personal data. It is a key part of your accountability obligations under the GDPR (Art. 35 GDPR), and when done properly helps you assess and demonstrate how you comply with all of your data protection obligations.

Under the GDPR there are 9 criteria to be considered to determine if a processing activity is of high risk if it involves:

1. Evaluation or scoring, including profiling and predicting
2. Automated-decision making with legal effect
3. Systematic monitoring
4. Sensitive or highly personal data
5. Data processed on a large scale
6. Matching or combining datasets
7. Data concerning vulnerable data subjects
8. Innovative use or applying new technological or organizational solutions
9. When the processing prevents data subjects from exercising a right or using a service or contract

Number 8 leaves quite broad opportunity for interpretation. Companies need to carry out a due diligence to determine if their processing is in-or outside the scope of this criteria.

Under the GDPR, DPIA’s are mandatory for highrisk processing activities and non-compliance with DPIA requirements can lead to fines imposed by the supervisory authority. Failure to carry out a DPIA when the processing is subject to a DPIA , carrying out a DPIA in an incorrect way (ref Article 35), or failing to consult the competent supervisory authority where required (Article 36(3)(e)), can each result in an administrative fine of up to 10M Euros, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the Controller, with the DPO and Processors, should be responsible for carrying out a data protection impact assessment. The controller is responsible that the DPIA is carried out and is accountable for the risk, though the DPIA itself might be done by someone else.
Under the GDPR, in order to manage the risks to the rights and freedoms of natural persons, the risks have to identified, analyzed, estimated, evaluated, treated, and reviewed regularly. Carrying out a DPIA is a continual process, not a one-time effort.

How can 2B Advice help with Data Protection Impact Assessments?


2B Advice offers privacy compliance software and services that help with Data Protection Impact Assessments including risk assessment tools and catalogs, stakeholder questionnaires, a database for records of processing activities and more. If you need help getting started, ask about our ask about our consulting services to help with your DPIA for when you are launching a new product, implementing new technologies, or other high risk processing activities.

Questions? Contact Us Today! SEND MESSAGE or call +1 (858) 366 9750
IHK

2B Advice is ISO/IEC 27001:2013 Certified

IAPP Gold Member

2B Advice is an IAPP corporate Gold member

Gold Microsoft Partner

2B Advice is a Microsoft Gold-Certified Partner

Our Clients (Selection)

our Clients

Our Data Privacy Service Portfolio

Privacy Impact Assessment

2B Advice offers privacy compliance software and services that help with Privacy Impact Assessments including risk assessment tools, catalogs, and more.

Data Protection Impact Assessment

According to GDPR, processing of personal data has to an elaborate assessment of the impact prior to the processing. Learn how we can help.

Cloud Migration Impact Assessment

Our team of experts will advise your legal requirements you need to be aware of in terms of privacy regulations and data privacy compliance.

Data Transfer Impact Assessment

Companies who transfer data across borders must find other legal bases for their data transfer which include putting SCC in place according to GDPR.

Regional GDPR Gap Analysis

The Regional GDPR Gap is an initial assessment to identify organizational gaps in your privacy organization based on the current state of your privacy program.

Standard Contractual Clauses

According to the GDPR, SCCs ensure appropriate data protection safeguards as grounds for data transfers from the EU to third countries.

Questions?

CONTACT

2B Advice LLC
7220 Avenida Encinas #208
Carlsbad, California, USA

Tel: +1 (858) 366 9750
Email:
sandiego@2b-advice.com