DPIAs – protecting data at the design stage
Data Protection Impact Assessments (DPIAs) are now mandatory in most cases under GDPR when designing or modifying a process that involves Personal Identifiable Information (PII).
DPIAs are now a crucial process for demonstrating to the Supervisory Body (the ICO for the UK) that an organisation has done everything it can to ensure that data is being processed in accordance with Law.
New innovative products or processes often consider the security of personal data as an after thought, launching their product as early as possible to prove their concept and to generate revenue as soon as possible.
DPIAs will help ensure that consideration has been given within new or modified processes carrying high risks to the rights and freedoms of data subjects. This will help minimise or prevent data breaches and unlawful processing. This is often referred to as Privacy by Design and Default and will be a useful tool for putting adequate controls in place at the planning stage and then reviewing these regularly afterwards.
DPIA -what does it involve?
The first step is to identify the need for a Privacy Impact Assessment (PIA), what the projects aims to achieve, the objectives and who the stakeholders are. Importantly it needs to identify what personal information is being collected and why and the quantity of information required.
A data mapping exercise should follow to identify the information flows, showing a lifecycle of what data is to be collected, what it is used for, where will it be stored, any third parties it will be transferred to, the deletion policy etc.
The next step is to identify any risks to the privacy of that data and the impact on the data subject. This will then lead to identifying and proposing any measures that can mitigate these risks. A list of security measures could include physical restrictions, defined processes and technical controls.
These measures need to be approved by the stakeholders to assess that the solutions address the risks adequately. The outcomes then should be recorded before they are implemented into the process.
There is a Code of Practice document available on the ICO’s website which will help you understand the process and how this links to the principles.
This is a really useful tool to implement at the planning stage for all new processes and will ensure that you are making Privacy by Design and Default part of your organisation’s objectives.