[GDPR Step 08] How to Conduct Data Protection Impact Assessments
The General Data Protection Regulation (GDPR), introduced by the European Union, took effect on May 25, 2018. With the introduction of GDPR, organizations have to change many of their existing processes and introduce new ones to protect personal data. One new process that will become mandatory is data protection impact assessments (DPIA).
We recently hosted an on-demand webinar, Practical Steps to GDPR Compliance, that focuses on a comprehensive 16-step plan to operationalize a data governance program that supports GDPR compliance.
Conducting data protection impact assessments is Step 8 in this plan. To learn more about the first seven steps, check out the links in the sidebar.
When Is a Data Protection Impact Assessment Required?
Article 35 of the GDPR concerns data protection impact assessments (DPIA).
DPIA is an evaluation of whether a change to an existing system or the introduction of a new system could compromise the privacy of the personal data of a subject in any way. The GDPR mandates a DPIA when data processing could result in high risk to the rights and freedoms of data subjects.
This is specifically required by the GDPR in the following three scenarios:
- When an organization conducts a systematic and extensive evaluation of personal data using automated processing such as profiling, and the subsequent decisions produce legal effects to the data subjects. For example, an organization may profile customers’ social media data to understand buying preferences or political leanings.
- When an organization processes special data categories such as race or ethnic origin, or of personal data relating to criminal convictions and offences. For example, if an investment bank wants to process personal data for anti-money laundering (AML) obligations or detect fraudulent transactions, a DPIA would help identify the risk to the data subject.
- When an organization conducts large-scale, systematic monitoring of a public space.
For example, a retailer may want to use facial recognition software in mall kiosks. This software may be used to customize advertisements based on the gender and approximate age of the visitor. A DPIA may require the retailer to delete any information within a certain time frame after the ad is displayed, and to refrain from combining this data with social media profiles.
When to Perform a Data Protection Impact Assessment
Data governance must establish controls so that DPIAs are conducted as required by the GDPR. The governance team, in collaboration with legal and compliance, must identify and document potential processing operations that could put data at risk.
After identifying processing operations that may pose a risk to data security, a DPIA must then be done before the actual processing. The result of the assessment would determine the processing strategy and the controls that need to be taken to safeguard the privacy of data subjects. Again, the strategy needs to be derived among multiple teams such as IT, governance, legal, compliance, finance, etc.
Finally, organizations have to ensure that the outcomes of the DPIA are integrated as data protection solutions into systems and processes.
Using Talend For Data Protection Impact Assessments
Talend Data Quality and Talend Metadata Manager can capture, discover, and profile new datasets and the related semantics in a highly automated way, and then apply these control rules at scale. As a result, these tools can take an active role within a DPIA for any information system.
For example, suppose a company wants to conduct a DPIA on its data lake that ingests vast quantities of data from connected devices. Talend Data Quality can support the DPIA by discovering personal information within the dataset, which would then be masked before ingesting into the data lake.
Next Steps to Impact Assessment
Data protection impact assessment might sound like legalese, but it’s more than that—it’s about profiling data to determine if it’s at risk, and planning mitigative solutions. When in doubt, organizations can counsel with their data protection officer (DPO) for the assessment.
The next step of Talend’s comprehensive 16-step plan to achieve GDPR compliance is conducting vendor risk assessments.
← Step 7 | Step 9 →
More related articles
- Pillars to GDPR Success (2 of 5): Data Capture and Integration
- Pillars to GDPR Success (4 of 5): Self-Service Curation and Certification
- Pillars to GDPR Success (3 of 5): Anonymize and Pseudonymize for Data Protection with Data Masking
- Pillars to GDPR Success (5 of 5): Data Access and Portability
- Preparing for GDPR
- [GDPR Step 14] How to Govern the Lifecycle of Information
- Pillars to GDPR Success (1 of 5): Data Classification and Lineage
- PCI DSS: Definition, 12 Requirements, and Compliance
- [GDPR Step 15] How to Set Up Data Sharing Agreements
- [GDPR Step 16] How to Enforce Compliance with Controls
- [GDPR Step 13] How to Manage End-User Computing
- [GDPR Step 11] How to Stitch Data Lineage
- [GDPR Step 09] How to Conduct Vendor Risk Assessments
- [GDPR Step 12] How to Govern Analytical Models
- [GDPR Step 10] How to Improve Data Quality
- [GDPR Step 07] How to Establish Data Masking Standards
- [GDPR Step 3] How to Confirm Data Owners
- [GDPR Step 06] How to Define Acceptable Use Standards for GDPR
- [GDPR Step 2] The Importance of Creating Data Taxonomy
- [GDPR Step 4] How to Identify Critical Datasets and Critical Data Elements
- What is Data Portability?
- [GDPR Step 01] How to Develop Policies, Standards, and Controls
- What is Data Privacy?
- [GDPR Step 5] How to Establish Data Collection Standards