3 Key Elements of a Data Protection Impact Assessment
Data generated by consumers is used by interested parties to better understand customer behaviors—their likes, dislikes, interests, demographics, location and activities—for the purpose of developing or targeting products, improving engagement and personalizing services at an unprecedented scale.
The value of this data, therefore, continues to rise exponentially. But with an alarming number of breaches happening every year, there is growing anxiety among consumers, security professionals and legislative authorities to protect consumer data and uphold their fundamental right to privacy.
A data protection impact assessment (DPIA) is becoming an increasingly important tool for identifying, investigating and mitigating risks related to consumer privacy. Governments around the world have implemented data protection and use regulations such as the EU’s GDPR, the U.S.’s CPRA, CPA and VDCPA, Canada’s PIPEDA and new privacy regulations from China, Turkey and UAE among others. These regulations mandate that businesses carry out DPIAs, especially when there is a high risk to privacy rights and freedom of individuals or when data is being processed at a large scale.
Key Elements of a DPIA
Ideally, a data protection impact assessment should be executed during the planning phase of a large data processing project, prior to the project being launched. Businesses that are considering a comprehensive privacy impact assessment must ensure that they take into account three elements: The nature, scope and context and purpose of data processing. Let’s look at each in more detail.
The Nature Of The Data
It’s important to understand (via data flow diagrams) the process by which the business collects data, its sources of data (public databases, third party or directly from the end user), its storage location (whether on-premises or in a cloud database like AWS), how will it be used (whether it is being shared with any third parties) and how the data point is being retired/deleted permanently.
The Scope Of The Data
Businesses must engage in a deep dive into the type of data they collect. Any high-risk categories—such as biometric data and other forms of personally identifiable information (PII)—must be specifically noted, highlighted and called out explicitly. Note that if sensitive information is being collected, risks will be amplified and other provisions of the law might come into play. At this juncture, it’s probably a good idea to work with the privacy team, legal team and information security team because each one may have different security requirements depending on the data being collected and the jurisdiction being used, privacy requirements, legal obligations, notice and consent and opt-in requirements.
The Context and Purpose of Data Processing
As a business, ideally, you want to see and understand the context and purpose of the data being processed. Is the right amount of data being collected or is there room for minimization? Whose data is being collected? Are these current or potential customers? How will this affect their privacy access rights under applicable laws? What is the legal basis of data collection? Does the business have consent measures in place? Does the process allow end-users to control and access their own data? Is there a retention policy in place? Does the data get encrypted or anonymized? Answering these questions can help the business answer the fundamental question: Are consumer rights being upheld across the organization?
Common Mistakes to Avoid
Privacy assessments can be complicated, painstaking and time-consuming, leaving a lot of room for error. One of the most common errors that organizations can make is thinking of a data protection impact assessment as an afterthought rather than considering it as a foundational element of any new data processing project.
Sometimes, businesses will fail to conduct an extensive review involving all departments and functions, and this can leave gaping holes in privacy assessments. Each department will process data differently; that’s why it’s critical that all processes are looked at in detail and not overlooked. Then there’s real versus ideal. Documents can be wishful or a hopeful assessment of, let’s say, the security controls or privacy controls that an organization wants to implement versus the ones that have actually been implemented or will be implemented.
Some businesses view DPIA as a check-box activity that is mandated by compliance and, therefore, processes are designed around achieving compliance and not championing data privacy. In other instances, DPIA is seen as a one-time activity instead of one that’s ongoing and that needs revisiting at regular intervals.
As data and departments evolve, it’s important to reevaluate the privacy posture of the organization, preferably via automated reminders or tasks, using governance, risk and compliance (GRC) tools and software.
Gartner believes that digital ethics are increasingly important and businesses that proactively manage consumer privacy will enjoy greater trustworthiness and digital revenue versus those that don’t. In addition, it’s projected that 65% of the world’s population will have their data governed under modern privacy regulations by 2023. Under these circumstances, DPIA processes, coupled with GRC tools (aided by artificial intelligence and automation) will become even more mature, methodical and mainstream.
