When is a DPIA Required? (For GDPR & Other Laws)
It's no news that businesses must take data protection seriously in today's data-centric society.
Under data privacy laws, one of the ways this initiative is enforced is through Data Protection Impact Assessments (DPIAs). But, considering how demanding these assessments can be, DPIAs aren't always required.
Naturally, this begs the question: "When is a DPIA required?"
In this article, we'll clarify the situations and criteria that require a DPIA under the GDPR and other well-known data privacy laws today.
Let's dive in!
- A DPIA helps determine whether a data processing activity may pose high risks to people's rights and freedoms. It then recommends measures to lessen or remove such risks.
- Data privacy laws like the EU’s GDPR require businesses to perform DPIAs for high-risk data processing operations.
- Aside from legal compliance, DPIAs also help mitigate privacy risks, foster trust and transparency, and enhance data quality and accuracy, to mention a few.
Understanding DPIAs: The Basics
A DPIA is a structured process for predicting and mitigating potential risks to people’s rights and freedoms. It’s an obligation that motivates businesses to prioritize data protection whenever they plan a significant project involving personal data.
Similar to PIAs (Privacy Impact Assessments), DPIAs help identify and prepare for data protection risks, ensuring your project is secure and privacy-friendly.
It's all about ensuring your data processing activities don't negatively impact people's lives. For instance, if your database is hacked due to insufficient security safeguards, criminals could use it to steal people's identities.
Does the GDPR Require DPIA?
Yes, the General Data Protection Regulation (GDPR) does require DPIA in certain instances. In fact, the GDPR was the first regulation to require DPIAs, and it inspired some subsequent data privacy laws to do the same.
Specifically, Article 35 of the GDPR requires businesses to perform DPIAs if they:
- Systematically and extensively profile EU residents to make decisions that legally or significantly affect them
- Process special data categories or data relating to criminal offenses on a large scale
- Systematically monitor publicly accessible places on a large scale
Note: Before performing DPIAs to facilitate GDPR compliance, it’s crucial to seek the advice of your Data Protection Officer (DPO) or a team like Captain Compliance. Their expertise and insights can prove invaluable to the process.
When is a DPIA Required Under the GDPR?
If your data processing activity is likely to pose a “high risk” to data subjects’ rights and freedoms under the GDPR, you must conduct a DPIA.
While the GDPR provides some specific instances of “high-risk” activities, EU Data Protection Authorities have provided additional clarity with ten distinct examples. Let’s briefly examine them.
Profiling of individuals using personal data
If you use personal data to analyze or predict a person’s preferences, behavior, interests, or movements, a DPIA is mandatory.
For instance, an e-commerce company that uses customer data to create targeted advertisements based on browsing history and purchase patterns must perform a DPIA.
Automated decision-making processes that may impact data subjects
Whenever automated systems (not influenced by humans) make significant decisions that affect individuals, a DPIA is crucial.
For example, if a financial institution uses a computer algorithm to determine loan approvals based on credit scores and other data, a DPIA is needed.
Systematic monitoring of individuals in public spaces
If you consistently and methodically monitor individuals in public areas, a DPIA is necessary. This could be relevant for city surveillance systems that track and analyze people’s movements in public places for security purposes.
Processing special categories of personal data
Whenever you process special data categories (also known as sensitive personal information), a DPIA is necessary to assess the potential risks to individuals.
Under the GDPR, special data categories include data relating to:
- Health status
- Racial/ethnic origin
- Sex life or sexual orientation
- Trade union membership
- Political opinions
- Religious/philosophical beliefs
For instance, a research project involving genetic data analysis for medical advancements will require a DPIA.
Large-scale processing of data
If you process a significant amount of personal data on a large scale, a DPIA is required. To put this in context, a healthcare provider conducting research using a vast patient record dataset must perform a DPIA due to the scale and sensitivity of the data.
Merging data collected via various processes
If you merge data from different sources or processes, creating new profiles or insights about individuals, a DPIA is needed. An example is if a company combines its online purchase data with its in-store shopping behavior to build comprehensive customer profiles.
Collecting data belonging to persons who are incapacitated
When collecting data from individuals unable to give consent or understand the implications, a DPIA is essential. This could occur in healthcare settings when collecting medical data from patients with severe cognitive impairments.
Using new technologies to process data
Whenever implementing new technologies that might impact individuals' privacy, a DPIA is required.
For example, if a company adopts a cutting-edge facial recognition system to manage access control, a DPIA would be necessary to assess potential risks to privacy.
Transferring data to countries outside the EU/EEA
If you plan to transfer personal data outside the EU or EEA, particularly to countries with “inadequate” data protection by EU standards, a DPIA is mandatory.
To illustrate, a multinational Australian company sharing EU personal data with its subsidiaries in Australia will need to perform a DPIA.
Limiting the rights of data subjects when processing data
If your data processing operations may potentially limit individuals' GDPR rights, a DPIA is vital.
For instance, if a social media platform restricts users' ability to access their personal data, a DPIA is required to review the impact on users' rights and freedoms.
When is a DPIA Required Under Other Data Privacy Laws?
The GDPR isn't the only data privacy law that requires DPIAs. Several other laws also require DPIAs in similar circumstances as the GDPR.
Let’s briefly go over them.
DPIAs Under Brazil’s LGPD
Unlike the GDPR, Brazil’s Lei Geral de Proteção de Dados takes a more lenient approach when it comes to DPIAs.
Accordingly, there are only two scenarios in which the LGPD addresses the need for DPIAs. They include:
- When data processing is based on a legitimate interest (Article 10)
- When processing involves sensitive data (Article 38)
In these instances, Brazil's National Data Protection Authority (ANPD) may request a DPIA from you.
That said, the Brazilian Digital Government Secretariat (SGD) also recommends a DPIA in some additional circumstances. Examples include but aren’t limited to the following:
- Automated decision-making (including profiling) that may have legal or similar effects on consumers
- Building a real person's behavioral profile
- Processing data of children and teens
- Tracking consumers' location
DPIAs Under Singapore’s PDPA
They include when the following occurs:
- Developing a new system that involves collecting and handling personal data
- Creating a new process (including manual ones) that involves handling data (e.g., a receptionist collecting data from visitors)
- Changing the way existing systems handle personal data
- Structural changes that affect data management, such as mergers and acquisitions
- Collecting new types of personal data
DPIAs Under the Philippines’ DPA
Unlike the GDPR, DPIAs aren’t explicitly required under the Philippines’ Data Protection Act (DPA).
However, they’re highly recommended for significant data processing activities, especially in the following cases:
- When you haven’t performed a PIA for any of your data processing operations
- When implementing a new data processing system
- When significantly changing your existing data processing system
- When there are significant external developments that could negatively impact your current data processing system
- When a major data breach or recurring security incident occurs
DPIAs Under Switzerland’s FAPD
Switzerland’s criteria for conducting DPIAs pretty much mirror those of the GDPRs (with slight differences). Under Article 22, the FADP requires DPIAs for data processing activities that could present a “high risk” to individuals’ personalities and fundamental rights.
High-risk data processing under the FADP includes:
- Processing sensitive personal data on a large scale
- Systematic monitoring of public areas on a large scale
Benefits of Conducting a DPIA
Performing a DPIA is like laying a sturdy foundation for your data processing operations. Even when not mandatory, it yields numerous advantages, including the following:
First and foremost, a DPIA is a vital part of complying with applicable data protection laws (as we’ve previously established).
By assessing the impact of your data processing on individuals' privacy, you align your operations with the legal requirements of applicable laws and avoid fines for non-compliance.
A DPIA’s overarching goal is to identify, assess, and reduce or eliminate risks associated with your data processing activities.
Through proactive risk management, DPIAs help foster a secure environment for data management, ultimately preventing data breaches and other privacy-related incidents.
Building Trust and Transparency
DPIAs can help demonstrate a commitment to transparency and trust-building. When consumers know that their privacy is a priority and risks are proactively mitigated, their trust in your business grows.
Moreover, transparency in managing and protecting data instills confidence in stakeholders and enhances your reputation.
Conducting a DPIA early in your project lifecycle saves costs for your business by preventing expensive fixes later.
After all, identifying and addressing privacy issues from the start is more efficient and economical than retrofitting solutions into an already established system.
DPIAs can also uncover valuable data insights that guide decision-making during project planning.
When you understand the privacy implications of your data processing activities, you can make well-informed choices about your corporate compliance program, methodologies, and strategies.
Improved Data Quality and Accuracy
By analyzing data processing practices, a DPIA may reveal areas for improvement in your data quality and accuracy.
This can lead to better privacy governance, elevating the integrity of your data and, consequently, the effectiveness of your business operations.
Now that you understand when a DPIA is necessary, it's time to address this vital aspect of your privacy responsibilities with an effective compliance service.
Our experts at Captain Compliance stand ready to help you seamlessly fulfill your privacy obligations. We believe in a proactive approach to compliance, and our services empower you to navigate data privacy confidently.
Get in touch today to take the first stride towards a compliant DPIA strategy.
When should I consider conducting a DPIA for my project or process?
You should consider a DPIA when your data processing activities present potential risks to individuals' privacy. Examples include launching a new marketing campaign via profiling or adopting innovative technologies for data analytics.
Are there specific indicators that signal the need for a DPIA?
Yes, indicators like large-scale data processing, the use of technologies like AI, or the processing of special data categories like health or ethnicity often warrant a DPIA.
What’s more, any data processing activity that could impact individuals significantly or limit their rights highlights the need for a DPIA.
Does the size or type of my business affect the need for a DPIA?
No, it doesn’t. If your data processing activities meet the criteria set by relevant data protection laws — like the GDPR or LGPD — a DPIA is required. Whether you are a startup or a large enterprise, compliance with these laws remains essential.
Can conducting a DPIA save my business time and resources in the long run?
Absolutely. While a DPIA requires an initial investment of time and resources, it often prevents legal issues, fines, and costly rework.
Pinpointing and addressing privacy risks at the outset ensures a smoother, more compliant data processing journey in the long term.