[GDPR Step 08] How to Conduct Data Protection Impact Assessments

The General Data Protection Regulation (GDPR), introduced by the European Union, took effect on May 25, 2018. With the introduction of GDPR, organizations have to change many of their existing processes and introduce new ones to protect personal data. One new process that will become mandatory is data protection impact assessments (DPIA).

We recently hosted an on-demand webinar, Practical Steps to GDPR Compliance, that focuses on a comprehensive 16-step plan to operationalize a data governance program that supports GDPR compliance.

Conducting data protection impact assessments is Step 8 in this plan. To learn more about the first seven steps, check out the links in the sidebar.

When Is a Data Protection Impact Assessment Required?

Article 35 of the GDPR concerns data protection impact assessments (DPIA).

DPIA is an evaluation of whether a change to an existing system or the introduction of a new system could compromise the privacy of the personal data of a subject in any way. The GDPR mandates a DPIA when data processing could result in high risk to the rights and freedoms of data subjects.

This is specifically required by the GDPR in the following three scenarios:

  1. When an organization conducts a systematic and extensive evaluation of personal data using automated processing such as profiling, and the subsequent decisions produce legal effects to the data subjects. For example, an organization may profile customers’ social media data to understand buying preferences or political leanings.
  2. When an organization processes special data categories such as race or ethnic origin, or of personal data relating to criminal convictions and offences. For example, if an investment bank wants to process personal data for anti-money laundering (AML) obligations or detect fraudulent transactions, a DPIA would help identify the risk to the data subject.
  3. When an organization conducts large-scale, systematic monitoring of a public space.

For example, a retailer may want to use facial recognition software in mall kiosks. This software may be used to customize advertisements based on the gender and approximate age of the visitor. A DPIA may require the retailer to delete any information within a certain time frame after the ad is displayed, and to refrain from combining this data with social media profiles.

When to Perform a Data Protection Impact Assessment

Data governance must establish controls so that DPIAs are conducted as required by the GDPR. The governance team, in collaboration with legal and compliance, must identify and document potential processing operations that could put data at risk.

After identifying processing operations that may pose a risk to data security, a DPIA must then be done before the actual processing. The result of the assessment would determine the processing strategy and the controls that need to be taken to safeguard the privacy of data subjects. Again, the strategy needs to be derived among multiple teams such as IT, governance, legal, compliance, finance, etc.

Finally, organizations have to ensure that the outcomes of the DPIA are integrated as data protection solutions into systems and processes.

Using Talend For Data Protection Impact Assessments

Talend Data Quality and Talend Metadata Manager can capture, discover, and profile new datasets and the related semantics in a highly automated way, and then apply these control rules at scale. As a result, these tools can take an active role within a DPIA for any information system.

For example, suppose a company wants to conduct a DPIA on its data lake that ingests vast quantities of data from connected devices. Talend Data Quality can support the DPIA by discovering personal information within the dataset, which would then be masked before ingesting into the data lake.

Next Steps to Impact Assessment

Data protection impact assessment might sound like legalese, but it’s more than that—it’s about profiling data to determine if it’s at risk, and planning mitigative solutions. When in doubt, organizations can counsel with their data protection officer (DPO) for the assessment.

The next step of Talend’s comprehensive 16-step plan to achieve GDPR compliance is conducting vendor risk assessments.

← Step 7  |  Step 9 →

Ready to get started with Talend?