How to make your impact evaluation successful
The GDPR introduced the concept of a Data Protection Impact Assessment (DPA). From that moment on, it is mandatory for the Supervisory Authorities to establish indicative lists of processing operations that do or do not require impact assessments, as well as processing operations that do require impact assessments.
What is an impact assessment and what is it for?
The Data Protection Impact Assessment (DPA) is a crucial tool in the field of privacy and data protection. Its main objective is to carry out a comprehensive and early assessment of the risks that may affect personal data in a specific project.
By conducting a PIA, it seeks to identify and understand the potential risks associated with the processing of personal data, with the purpose of taking preventive and corrective measures to mitigate them.
In practical terms, the PIA enables data controllers to make informed risk management decisions. By analysing the information system, product or service involved, the PIA helps to determine whether the processing activities comply with existing data protection regulations and policies.
It is essential that the DPA is carried out systematically and objectively by lawyers who are knowledgeable about data protection. This should consider both the type of personal data being processed and the nature and context of the processing.
It is also important to assess the likelihood and severity of the potential risks, as well as the impact they would have on the individuals whose data are being processed.
Once risks have been identified, the PIA becomes a tool to guide the adoption of appropriate measures. These may include implementing technical and organisational measures to reduce data exposure, reviewing information security policies, training staff involved in data processing, or even reconsidering certain practices or services that may present a high risk without clear justification.
Steps and requirements for a successful impact assessment
The requirements for a proper impact assessment are that it is carried out when required by the GDPR, i.e. when the processing is likely to result in a high risk to the rights and freedoms of individuals.
In this regard, it is important to note that the performance of a PIA is not mandatory in all cases, although it is advisable in many situations where data processing takes place. As we have indicated, it is only mandatory when this processing may entail a high risk for the rights and freedoms of users.
In particular, it will be mandatory when it involves the systematic and exhaustive evaluation of personal aspects of an individual, including profiling, when large-scale processing of sensitive data is carried out, and when large-scale systematic observation of a public area is carried out.
How to implement an impact assessment step by step
There are several steps in conducting a PCIA:
1. Need for a DPA
In this initial phase, an assessment is carried out to determine whether a Data Protection Impact Assessment is necessary.
It is essential to identify the data processing operations, through data protection lawyers, that will be carried out in the specific project and to analyse whether they may entail a high risk to the rights and freedoms of the data subjects. If so, the EIPD is initiated.
2. Description of the project and information flows
At this stage, a thorough analysis of the project or activity that will involve the processing of personal data is carried out. It identifies the categories of data that will be processed, examines the information flows, the technologies and systems used, as well as the processes related to the data processing.
This step provides a detailed overview of the scope of the PIA and allows a full understanding of the context in which the data processing will take place.
3. Risk identification and assessment
In this step, potential data protection risks to the data subjects concerned by the processing are identified and assessed. It analyses how the processing activities may affect the rights and freedoms of data subjects, considering aspects such as confidentiality, integrity, availability and the likelihood of security incidents. The assessment of these risks enables prioritisation of efforts to adopt appropriate mitigation measures.
4. Measures to guarantee the privacy of personal data
Once the risks have been identified, this phase involves identifying and proposing measures to eliminate, mitigate, transfer or assume the risks detected. These measures may include the implementation of technical, organisational or legal controls to protect the privacy of personal data. It is essential to ensure that these measures are effective and provide an adequate level of data protection.
5. Final report
At this stage, a detailed report is prepared that includes the analysis of the identified risks, the proposed measures and recommendations for the proper management of personal data privacy. The final report becomes a key tool to demonstrate the company’s compliance with data protection regulations and to provide transparency to stakeholders.
6. Review
The review is a continuous and dynamic stage of the DPOI process. It allows verifying the effectiveness of the measures implemented, as well as detecting new risks or changes in the environment that may affect data protection. It is essential to keep the EIPD updated, carrying out periodic reviews and adapting the protection measures as necessary.
At Letslaw our team of data protection lawyers will advise you on your impact assessment and at all stages of its development.