All about a Data Protection

Impact Assessment (DPIA)

Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001
www.patreon.com/AndreyProzorov

2.0, 18.05.2022
About me
Cybersecurity and Data Protection Expert

CISM, CIPP/E, CDPSE, LA 27001

• Linkedin.com/in/andreyprozorov
• Patreon.com/AndreyProzorov
Agenda
1. General Information 2. Risk factors 3. DPIA in practice
• GDPR • Whitelists and Blacklists • My templates
• What is a DPIA? • High risk factors • DPIA Lite
• Why is a DPIA needed? • Other potential high risk factors • DPIA and LIA Template
• What are the benefits of 1. Evaluation or scoring • ICO’s LIA Template and Checklist
conducting a DPIA? 2. Automated decision making • How to improve (complicate) the
• Who get involved? 3. Systematic monitoring template?
• When is it mandatory? 4. Sensitive data • DPIA Register
• What should a DPIA include? 5. Large scale • DPIA awareness checklist by ICO
• Other comments 6. Combined data sets
• Guidelines and templates 7. Vulnerable data subjects
• DPIA Process (models) 8. New technology
• Life Cycle by PDPC 9. Preventing data subjects from
• Main issues exercising a right

3
1. General Information

4
GDPR: DPIA
Article 35 Data protection impact assessment Article 36 Prior consultation
• Cases where a DPIA is required • The controller shall consult the SA prior
• Seek the advice of the DPO to processing where a DPIA indicates that
• Whitelists and Blacklists by SAs the processing would result in a high risk
• DPIA content in the absence of measures taken by the
• Seek the views of data subjects or their controller to mitigate the risk.
representatives • Written advice to the controller and
timescales
• Information to the SA

5
What is a DPIA?
• A Data Protection Impact Assessment (DPIA) is
a prior written assessment of the impact of
the planned processing operations on the
protection of personal data.
• DPIAs provide a structured way of thinking
about the risks posed to the people whose
data you process.
• DPIAs also help you to comply with the
requirement of data protection by design.

6
Why is a DPIA needed?

• To understand and mitigate risks to

people’s rights
• To comply with a legal obligation

7
What are the benefits of conducting a DPIA?
• Ensuring and demonstrating that your organisation complies with the GDPR and avoids
sanctions.
• Inspiring confidence in the public by improving communications about data protection
issues.
• Ensuring your users are not at risk of their data protection rights being violated.
• Enabling your organisation to incorporate “data protection by design” into new projects.
• Reducing operation costs by optimising information flows within a project and eliminating
unnecessary data collection and processing.
• Reducing data protection related risks to your organisation.
• Reducing the cost and disruption of data protection safeguards by integrating them into
project design at an early stage.
By DPC Ireland
8
When to do a DPIA?

• Start preparing it when designing a new

processing operation.
• Then review and update it regularly.

9
Who get involved?
• Top management (accountable)
• Business owner
• DPO
• IT department
• Processors

• Privacy Committee
• CISO / IS Team
• Risk and Compliance
• Legal
• Representatives of the subjects
10
When is it mandatory?
A DPIA is mandatory for data processing operations
presenting high risks to data subjects such as
when two of the following criteria apply:
1. Systematic evaluation/profiling
2. Automated decision making
3. Systematic monitoring
4. Sensitive data processing
5. Large scale processing
6. Match/combine datasets with different purposes
7. Vulnerable data subjects
8. New technologies
9. Preventing people from exercising their rights or
entering into a service/contract
11
What should a DPIA include?

• Description of the planned processing

and its purposes
• Necessity and proportionality
assessment
• Risk assessment to data subjects
• Measures to address the risks

12
Other comments
• Controller is accountable for the DPIA
• The controller shall seek the advice of the DPO, where designated, when carrying
out a DPIA
• DPIA is required for the accountability
• DPIA is an important part of the Data Protection by Design
• DPIA focusses on new processes and projects, but ongoing processes should also
be assessed
• There is no requirement to publish DPIA reports, but some provide brief versions
• Be aware of the purpose of the process and try to avoid unnecessary complication
• It is convenient to combine a DPIA with a LIA (legitimate interests assessment)

13
www.patreon.com/posts/31386523 14
Guidelines and templates
Supervisory Authorities
• WP 29 / EDPB: https://ec.europa.eu/newsroom/article29/items/611236/en
• ICO (UK): https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-
protection-regulation-gdpr/data-protection-impact-assessments-dpias and https://ico.org.uk/for-
organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-
interests/how-do-we-apply-legitimate-interests-in-practice
• DPC (Ireland): https://www.dataprotection.ie/en/dpc-guidance/guide-data-protection-impact-
assessments
• CNIL (France): https://www.cnil.fr/en/privacy-impact-assessment-pia
• AEPD (Spain): https://www.aepd.es/en/guias-y-herramientas/herramientas/evalua-riesgo-rgpd
• DPO (Finland): https://tietosuoja.fi/en/impact-assessments
Other
• ISO/IEC 29134:2017 Guidelines for privacy impact assessment
• Brussels Laboratory for Data Protection & Privacy Impact Assessments (d.pia.lab) http://www.dpialab.org
• PDPC (Singapore) - https://www.pdpc.gov.sg/help-and-resources/2017/11/guide-to-data-protection-
impact-assessments 15
16
17
18
19
www.patreon.com/posts/63458468 20
Life Cycle by PDPC
21
Main issues
• Too many requirements and guidelines…
• Different methodologies, no “silver bullet”
• DPIA vs PIA (EU vs US/Other)
• No real examples
• Security Risks (business risks) vs DPIA (risks to subjects)
• Lawyers are usually bad at risk management. Business units, too…
• Consultants offers more sophisticated models (e.g., CNIL)
• Balance the complexity (detail) and value (adequacy) of the assessment
• Assessment should NOT be done by the DPO, he is advising
22
2. Risk Factors

23
Whitelists and Blacklists

• Data protection authorities of many EU member states have published

draft lists of data processing activities that would trigger the need for a
data protection impact assessment in that country.
• IAPP list - https://iapp.org/resources/article/eu-member-state-dpia-
whitelists-and-blacklists
• EDPB’s opinion - https://edpb.europa.eu/our-work-tools/consistency-
findings/opinions_en
• These lists are the basis for recommendations by SAs.

24
Examples (Finland, France, Irland)

25
High risk factors
GDPR Art. 35. Data protection impact assessment
1. Where a type of processing in particular using new
technologies, and taking into account the nature, scope,
context and purposes of the processing, is likely to result in a
high risk to the rights and freedoms of natural persons, the
controller shall, prior to the processing, carry out an
assessment of the impact of the envisaged processing
operations on the protection of personal data. A single
assessment may address a set of similar processing
operations that present similar high risks.

3. A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:
(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated
processing, including profiling, and on which decisions are based that produce legal effects concerning the natural
person or similarly significantly affect the natural person;
(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal
convictions and offences referred to in Article 10; or
(c) a systematic monitoring of a publicly accessible area on a large scale. 26
Other potential high risk factors
Criteria
1. Evaluation or scoring
2. Automated decision making
3. Systematic monitoring
4. Sensitive data If 2 are matched, a
5. Large scale
full assessment
6. Combined data sets
7. Vulnerable data subjects should be carried out
8. New technology
9. Preventing data subjects from exercising a right

10. International Transfer (optional)

27
1. Evaluation or scoring
Evaluation or rating of data subjects’ performance at work, economic situation, health,
personal preferences, interests, reliability, behaviour, location or movements (including
profiling and predicting).
For example:
• Financial institutions that evaluate their customers in light of a reference database relating
to lending, a database relating to the prevention of money laundering and terrorist
financing or a database concerning fraud.
• Biotechnology companies that advertise genetic testing directly to consumers in order to
evaluate and predict the likelihood of diseases or health risks.
• Businesses that compile behavioural or marketing-related profiles that are based on the
use of their website or activities on their website.

28
2. Automated decision making

• Automated decision-making where the decisions produce legal effects or other

significant effects.
• Often goes together with profiling.
• Impact on subjects is important.

29
3. Systematic monitoring

Personal data are sometimes collected in circumstances where the data subjects do
not necessarily know who is collecting their data and how the data will be used.
Moreover, it can be impossible for individuals to prevent finding themselves in this
kind of a situation in public spaces or publicly accessible areas. Monitoring can refer
to, for example, access control, CCTV monitoring or similar measures.
For example:
• Processing of data for the purpose of observing, tracking or monitoring data
subjects and the collection of data via networks.
• Systematic monitoring of a publicly accessible area on a large scale.

30
4. Sensitive data

• Processing of personal data revealing racial or ethnic origin, political

opinions, religious or philosophical beliefs, or trade union membership,
and the processing of genetic data, biometric data for the purpose of
uniquely identifying a natural person, data concerning health or data
concerning a natural person's sex life or sexual orientation.
• Processing of personal data relating to criminal convictions and
offences.

31
5. Large scale
Assessments of scale should ideally take into account the following:
• the number of data subjects concerned, either as an exact number or a percentage
of a group, such as the population of a town or country
• the volume of the data to be processed and/or the number of individual units of
data
• the duration or permanence of the data processing operation
• the geographical scope of the processing operation.

Personal advisers (e.g., doctors) do NOT process data on a large scale.

32
6. Combined data sets

Coordinating or combining of data sets in a manner that is unforeseen and

unexpected from the perspective of data subjects.
For example:
• A controller combines data sets originating from two or more data processing
operations carried out for different purposes or by different controllers.
• Customer registers or two businesses are combined in connection with a merger.
It can be difficult for data subjects to, for example, prevent the processing of their
data or exercise their other rights if they are vulnerable in respect of the controller.

33
7. Vulnerable data subjects

Vulnerable individuals include, among others,

• children
• employees
• patients
• elderly people
• asylum seekers.

The reason is an imbalance of power between the data subject and the controller.

34
8. New technology

• The use of new technology can involve innovative ways of collecting and using
data, which can result in a high risk to the rights and freedoms of individuals. For
example, certain Internet-of-Things (IoT) applications can have a significant impact
on the daily lives and privacy of individuals, which is why a data protection impact
assessment is required.
• Facial recognition, IoT (internet of things), AI (artificial intelligence, machine
learning and deep learning), autonomous vehicles.

35
9. Preventing data subjects from exercising a right

• For example: Banks that evaluate their customers in light of a reference database
relating to lending in order to decide whether to give them a loan.
• Often linked to automated decision-making and profiling.

36
37
3. DPIA in practice

38
My templates
1. Privacy assessment questionnaire for new processes, projects and systems
(DPIA Lite), 2.3
2. DPIA and LIA Template, 2.1
3. DPIA Register Template, 1.1

What's new (2.0 and 2.1):

• The template was simplified
• DPIA Lite was highlighted
• Legitimate interests assessment (LIA) template was added My cases: SIEM, CCTV, NGFW,
• Evaluation of privacy principles (similar to CNIL) was added Time Tracking System, Site
register, Check-in system,
• Risk scale was aligned with ICO’s requirements
Online web form
• Annexes to the template were reviewed
39
DPIA Lite
• Short and simple template for preliminary analysis
and identification of risk factors
• To be completed by the project/process owner,
checked by the DPO/DPM
• Useful not only for a DPIA, but also for starting
other privacy initiatives (e.g., records of processing
activities, awareness, privacy by design)
• A great topic to talk to the business unit (problem
areas will be highlighted)
• If risk factors are identified, a full assessment (DPIA)
should be carried out

• To sum up: start with this template

40
DPIA and LIA Template

Lite

www.patreon.com/posts/31390422 41
42
43
44
45
Can be taken from ISO 27001/27002, CNIL or other frameworks

46
Assessed by the DPO
47
48
ICO’s LIA Template

ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-
regulation-gdpr/legitimate-interests/how-do-we-apply-legitimate-interests-in-practice
49
ICO’s Checklist
❑ We have checked that legitimate interests is the most appropriate basis.
❑ We understand our responsibility to protect the individual’s interests.
❑ We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify
our decision.
❑ We have identified the relevant legitimate interests.
❑ We have checked that the processing is necessary and there is no less intrusive way to achieve the same result.
❑ We have done a balancing test, and are confident that the individual’s interests do not override those legitimate
interests.
❑ We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason.
❑ We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we
have a very good reason.
❑ If we process children’s data, we take extra care to make sure we protect their interests.
❑ We have considered safeguards to reduce the impact where possible.
❑ We have considered whether we can offer an opt out.
❑ If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a DPIA.
❑ We keep our LIA under review, and repeat it if circumstances change.
❑ We include information about our legitimate interests in our privacy information.
50
• The most difficult section in
any methodology
• We have tried different
approaches...
• We use the simplified version
as much as possible
• Business units were not ready
for more complex models and
self-description of risk
scenarios...
• Top level risks of impact on
subjects are enough for us
(the list is taken from the ICO)
51
Severity and Likelihood

52
Examples

53
54
55
Annexes to the template
• Annex A. Additional links
• Annex B. Comments by ICO (UK):
• Annex C. Examples of security controls by CNIL
• Annex D. ISO 27001 and ISO 27002. Information security controls, 2022
• Annex E. Potential Risks to Data Subjects by DPC
• Annex F. Side effects of processing by AEPD
• Annex G. Examples of risk mitigation measures by DPC and ICO

56
How to improve (complicate) the template?
• Use more specific risk scenarios
• Use more specificity on likelihood and harm assessment (taking into account the
experience of incidents)
• Use information security risk management methodologies (ISO 27005, EBIOS,
IRAM2, NIST RM, ISACA RM, OCTAVE, ENISA - www.enisa.europa.eu/risk-level-
tool )
• Align with the Enterprise Risk Management (risk owners, KRI, risk response
strategies (mitigation, transfer, avoidance, acceptance), review and approval)
регулярный пересмотр и пр.)
• Try CNIL and AEPD templates

57
DPIA Register

www.patreon.com/posts/47866831 58
DPIA awareness checklist by ICO

❑ We provide training so that our staff understand the need to consider a DPIA at
the early stages of any plan involving personal data.
❑ Our existing policies, processes and procedures include references to DPIA
requirements.
❑ We understand the types of processing that require a DPIA, and use the
screening checklist to identify the need for a DPIA, where necessary.
❑ We have created and documented a DPIA process.
❑ We provide training for relevant staff on how to carry out a DPIA.

59
Thanks!
• Linkedin.com/in/andreyprozorov
• Patreon.com/AndreyProzorov
• [email protected]

60