Data Protection Impact Assessment

A Data Protection Impact Assessment (hereinafter “DPIA”) is a risk assessment document – much alike the more familiar assessments in the context of AML/CTF. However, as DPIAs are not too often getting their time in the spotlight, we provide you the key considerations related to DPIAs through this brief article.

What is a DPIA?

Under the EU General Data Protection Regulation (hereinafter “GDPR”), a DPIA is a statutory risk assessment that shall be both documented and implemented in practice.  The statutory nature of a DPIA is following of Articles 35 and 36 of the GDPR, setting the foundation and requirements for the document. Thus, for a “data protection related risk assessment” to be sufficient from a regulatory perspective, the characteristics as laid down in Articles 35 and 36 must be met.

Simply put and at its core, a DPIA covers a specific organization’s data protection related activities by identifying and evaluating the risks related to the processing of personal data.  Thereby, a DPIA shall include descriptions on the processing activities as well as information on the (data protection related) risk management and mitigation methods that are utilized by the organization. As earlier mentioned, in this regard a DPIA reminds a lot of a general AML/CTF risk assessment document.

For whom is a DPIA mandatory?

Even though any organization can voluntarily conduct a DPIA to assist the management of risks related to processing of personal data, not every organization is obliged to have a DPIA in place.  Nevertheless – voluntary or mandatory – a DPIA is an excellent (or the only) way to comply with the principle of accountability as per required by the GDPR.

In a Finnish context, following of the GDPR and the national legislation, a DPIA is mandatory for, including but not limited to, organizations who act as controllers of personal data and simultaneously do some of the following:

• New technology (e.g., artificial intelligence) is used for the processing of personal data;
• The processing of personal data is likely possessing a high risk to data subjects (e.g., large scale profiling);
• Special categories of personal data (e.g., health data) are processed; or
• Specific purposes (e.g., scientific or statistical research) of processing activities are carried out.

However, in most cases, the existence of a mandatory need for a DPIA must be assessed on a case-by-case basis, as there are no exhaustive regulations specifying exactly when a DPIA must or must not be conducted. Thereby, to avoid fines and challenges with the authorities, it is very important for organizations to stay aware of their personal data processing activities and continuously evaluate whether a DPIA should be drafted.

Conclusion

A well-made DPIA is a quite technical document and often requires expert assistance for achieving the aimed level of compliance as required by the GPDR. Hence, organizations should not be late with assessing their level of data protection – especially in situations where new business models or technologies are implemented. A comprehensively drafted DPIA is protecting the organization against materialized risks and losses.

As a law firm specialized in data protection and privacy matters, please feel free to contact us would you be interested to further evaluate your needs for a DPIA.