Captain Compliance Helps You Find The Best Template Out There

Every time your business gathers, uses or keeps customer data for any project, product, or service, their privacy could be at risk.

A Data Privacy Impact Assessment (DPIA) helps businesses become more aware of the data protection and privacy challenges that they’re facing.

A DPIA is legally required for organizations when processing data that can result in high risk to the rights and freedoms of individuals, so having a DPIA GDPR template ready can save you both a lot of time and money.

Key Takeaways

• A Data Privacy Impact Assessment (DPIA) is mandatory when the processing is likely to result in a high risk to the rights and freedoms of individuals
• DPIA has four stages: identifying the scope and purpose of the processing, assessing the risks to the privacy of individuals, identifying the measures to reduce those risks, and monitoring and review
• The data controller (business) is ultimately responsible for conducting a DPIA

What is DPIA?

A DPIA is a process that organizations use to identify, determine, and reduce the potential privacy risks related to a new service, product, or process that involves collecting and processing personal data.

The data controller (business) is ultimately responsible for initiating, performing, and completing a DPIA. However, they should do it in consultation with the data processor and the data protection officer (DPO) or person in charge of data protection.

Since this kind of document can contain a lot of information, a good DPIA GDPR template can save a lot of time creating it instead of making one from scratch.

Does My Business Need to Do a DPIA?

Not every business needs to do a DPIA.

The requirements are laid out in Article 35 of GDPR, which basically says a DPIA should be conducted whenever a business is processing data that has a potential for high risk to the data subject’s rights and freedoms.

This includes biometric data like fingerprints, financial data such as bank account numbers, Social Security Numbers, systematic and extensive profiling, criminal offense data, children’s data, and more.

According to the UK’s ICO, a business must create a DPIA when:

1. Profiles data subjects on a large scale
2. Using innovative technology (where it’s not entirely clear how the technology will affect individuals’ privacy
3. Is profiling customers or using the special category data to determine access to its products and services
4. Processes biometric data
5. Processes genetic data
6. Combines different datasets from multiple sources
7. Does “invisible” processing (collects personal data without a privacy notice)
8. Tracks the location or behavior of individuals
9. Profiles children or markets to them
10. Processes data that could endanger the data subject in case of a data breach

What Should a DPIA Include?

A DPIA is an essential document involving several key steps and elements. Ensure that you Include the following in your DPIA:

1. A description of the processing
2. An assessment of the necessity of processing operations
3. An assessment of the risks to the rights and freedoms of data subjects
4. Measures to address the risks (safeguards, security measures, and mechanisms for protecting personal data)

You can read Article 35 and Recital 90 of the GDPR for a clearer picture of what to include inside your DPIA.

Best DPIA GDPR Template

The above was a brief explanation of the steps that a DPIA should include.

The Information Commissioner’s Office (ICO) provides a sample DPIA GDPR template that you can follow.

This template includes 7 steps and should be filled out at the beginning of a project that involves processing personal data:

Step 1: Identify the need for a DPIA

The first step of the DPIA involves identifying if you need to conduct a DPIA based on the information you want to process and the type of processing.

Step 2: Describe the processing

Here, you will answer questions such as: How will you collect, store, use, and/or delete data? What are your data sources? Are you sharing data with anyone?

During this step, you should also determine the scope of data processing, including the nature of the data you are processing, the amount of data you will be collecting and using, how often you will do this, how long you will keep this data, and of how many data subjects.

Also, you will write down the context of the processing. How much control do data subjects have over the data you are processing, what are your relationships with them, are there vulnerable groups like children involved, state of technology, and other concerns?

Finally, what is the purpose of the data processing? What is the end goal, the benefits, and effects for your organization and the individuals?

Step 3: Consultation process

Who are the relevant stakeholders, internal or external, that you need to consult in the course of this project? This can involve information security experts, among others.

Step 4: Assess necessity and proportionality

What is the lawful base for processing, an alternative way to get the same outcome (perhaps using less data), how will you ensure data quality and minimization, and what are your measures to ensure data processors’ compliance?

Step 5: Identify and assess risks

In step five, you will identify and describe risk sources and their potential impact.

For each risk, create a three-column table that includes the likelihood of harm, severity of harm, and the overall risks:

Likelihood of harm	Severity of harm	Overall risk
Remote, possible, probable	Minimal, significant, severe	Low, medium, high

Step 6: Identify measures to reduce the risk

Once you understand the risks and their likelihood and severity, you are better prepared to introduce measures with which to minimize them.

Again, the ICO recommends creating a table like this:

Risk	Options to reduce or eliminate risk	Effect on risk	Residual risk	Measure approved
		Eliminated, reduced, accepted	Low, medium, high	Yes/No

Step 7: Sign off and record outcomes

For the final stage of the DPIA, create a  table like this:

Item	Name/Date	Notes
Measures approved by:
Residual risks approved by:
DPO advice provided:
Summary of DPO advice:
DPO advice accepted or overruled by:
Comments:
Consultation responses reviewed by:
Comments:
This DPIA will be kept under review by

Alternative DPIA GDPR Template

This, of course, isn’t the only GDPR DPIA template out there.

An alternative is one by the French Commission Nationale Informatique & Libertes, or CNIL, whose Privacy Impact Assessment (PIA) template you can also use.

This includes:

1. Launching a New Process

For example, you might be launching a service that relies on the user’s geolocation. This is a type of special category data that, if it gets into the wrong hands,  could cause harm to the individual.

2. Considering the Processing

Knowing this, the organization should carefully evaluate the processing, its necessity, scope, and lawful basis.

Does the processing include new technology, vulnerable data subjects, sensitive data, and matched datasets? Is it systematic? If it meets at least two criteria, it can be considered “high risk”

3. Evaluating the Risks

Next, what are the risks to the data subjects’ rights and freedoms? Are they low, medium, or high? What is their likelihood? Are they more or less likely to happen?

4. Addressing the Risks

Finally, what are some solutions you can propose to address those risks? Are there any measures, technical or organizational, that can help minimize the risks?

Conclusion

Understanding the dangers of using high-risk personal data and finding ways to reduce those can help improve your data protection.

By using a GDPR DPIA template, your organization can be one big step closer to achieving compliance.

However, there is more to GDPR compliance than conducting a DPIA. If you want to cross all the to-do’s regarding compliance, get in touch with Captain Compliance today!

FAQs

When writing a DPIA, start by identifying the need for a DPIA. Remember, if the processing does not pose a high risk to the rights and freedoms of individuals, you don’t need to conduct a DPIA.

If it does, however, you need to next describe the processing, assess the necessity and proportionality, identify and assess risks, identify measures to alleviate those risks, and finally record outcomes.

Need help writing a DPIA? Get in touch with us so we can help you through the process!

What is a DPIA template?

A DPIA template is a pre-designed file or document that you can use to create a Data Privacy Impact Assessment (DPIA) in the form of a Word or Google document or a spreadsheet and minimize the time and effort needed to create one from scratch.

Here are the steps to make a GDPR privacy policy with a template included!

What are the 4 stages of a DPIA?

The  4 stages of a DPIA are:

1. Identification of the scope and purpose of data processing
2. Assessment of the risks to the privacy of individuals
3. Identification of measures to mitigate the risks
4. Monitoring and review

Here’s our article on what a data risk assessment is and how to do it.

What must be included in a DPIA?

At a minimum, GDPR requires that the DPIA includes:

1. A description of the processing along with the legitimate interest
2. An assessment of the necessity of processing
3. An assessment of the risks to the rights and freedoms of individuals
4. Proposed measures to alleviate those risks

Want more tips to comply with the GDPR? Here’s our complete GDPR checklist.

Does GDPR require DPIA?

Data Privacy Risk Assessment (DPIA) is mandatory under Article 35(1) GDPR any time data processing “is likely to result in a high risk to the rights and freedoms of natural persons.”

For example, if you are launching a new healthcare app that requires collecting and processing sensitive health data and using AI algorithms for personalized health recommendations based on the data subject’s medical history, genetics, or lifestyle, you would need to conduct a DPIA because:

1. You are collecting special categories of data
2. Rely on automated decision-making to provide information
3. The nature of the data you are processing poses a high risk to the data subject’s rights and freedom

On the other hand, if you are launching an online clothing store and collecting data like names, email addresses, and shipping addresses to process orders, you probably don’t need a DPIA because:

1. The personal data you are collecting is standard and not sensitive
2. The risk to the rights and freedoms of individuals whose data you’re processing is low.

Here’s our resource page, where you can find all the information you need about compliance.