It’s been a busy summer at Casa Castlebridge, with a striking increase in requests for help and guidance in completing Data Protection Impact Assessments. Introduced last year in Article 35 of the GDPR, it is important not to assume a DPIA is the same as a Privacy Impact Assessment (PIA) or an Information Risk Impact Assessment (IRIA), the latter two have been around for much longer and are already used by CIOs and Programme Managers to identify and mitigate both organizational privacy risk and risks to their clients and customers.  PIAs, IRIAs and DPIAs have very distinct roles to play within an organisation. PIAs and IRIAs focus on evaluating the use of business and technology policies and processes to minimise risks to all of the organisation’s data (minimising financial and security risks) and the privacy risks to individuals. DPIAs are like PIAs in focusing on potential impacts on the people whose data we are processing, but instead of limiting their focus to privacy risks, they assess how particular data processing could impact our rights and freedoms per the Charter of Fundamental Rights.   Some commonalities arise (eg. we use the FMEA[1] methodology of risk assessment in both), hence making all these processes complimentary, giving the organisation a 360° data protection analysis.

impact of rolls

It has been encouraging to see that our clients, old and new, are understanding under what conditions they are required to undertake a DPIA by law.  They are also seeing the value-add that taking the time to do these analyses (and we know a DPIA can be completed within 3-10 days) creates for their organisations.  It can make the difference in Go/No Go on a major investment, provide cost savings in terms of systems and processes and forms part of any due diligence in acquisition or divestiture of businesses.

Simply put, a DPIA is a series of questions accompanied by a risk analysis of the answers to those questions.  It needs to be done when are planning new or changed processing of personal data and/or when there is a potential that personal data may be processed ​

The questions should include (these are high level examples, for a more detailed full set of questions you need to be asking, check out the French Commission for Information and Liberty website www.CNIL.fr )

  • What do we want to do?
  • Why do we want to do it?
  • Who does it affect?
  • How does it affect them?
  • If there are issues, why? Look at the cause not the symptom
  • What legal problems could we encounter?

This deep dive into every nook and cranny of the organisation’s operations can provide unique insights that, more often than not, give many of our clients an “a-ha” moment.  Future problems with todays decisions, inconsistencies, wastage, duplication and so much more can be identified by investing a short amount of time to stand back, breathe and evaluate what’s going on.

Delivering a DPIA requires delving deep into your organisation’s processes, procedures and decision-making, so if you require external help it is really important to ensure you work with a trusted partner and ensure they are under NDA.

I expect to see a continuing rise in the use of DPIAs as organisations across all sectors come to realise that rather than being simply a compliance requirement, the DPIA is the go-to weapon in their business arsenal.

Note:

For a 30 minute Introduction to DPIAs, check out the online course from dataeducation.ie at Data Protection Impact Assessment course

[1] Begun in the 1940s by the U.S. military, failure modes and effects analysis (FMEA) is a step-by-step approach for identifying all possible failures in a design, a manufacturing or assembly process, or a product or service. It is a common process analysis tool.

Ref: https://asq.org/quality-resources/fmea