Data Protection Impact Assessment Procedure

Background

A Data Protection Impact Assessment (DPIA) is a process to help every employee of Aktyvus Sektorius/Eskimi (hereinafter – the Company) to identify and minimise the data protection risks of particular projects initiated by the Company.

A DPIA is a way to systematically and comprehensively analyse data processing and help the staff to identify and minimise data protection risks. It is an important tool for building and demonstrating compliance with the GDPR (i.e. accountability).

Under the General Data Protection Regulation (GDPR) the Company must carry out a DPIA where a planned or existing processing operation is “likely to result in a high risk” to individuals.  Although GDPR provides examples of data processing that would fall into this category, this is a non- exhaustive list.

It is also good practice to do a DPIA for any other major project which requires the processing of personal data.

Data Protection Officer shall be in charge of every DPIA



Reference Documents

  • EU GDPR 2016/679 (Regulation (EU) 2016/679

  • Personal Data Protection Policy approved by CEO of the Company as of []

Purpose

The purpose of this procedure is to enable the staff to:

  • identify when a DPIA is mandatory;

  • carry out a DPIA.

Scope

All new projects and significant changes to existing systems/processes which require the processing of personal data must perform at least step 1 of this procedure to determine if a full DPIA is required.

DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of data subjects, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – to individuals or to society at large, whether it is physical, material or non-material. To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals. A DPIA does not have to eradicate the risks altogether, but should help to minimise risks and assess whether or not remaining risks are justified.

DPIA Procedure

Step 1: Identify the Need for a DPIA/whether a DPIA is mandatory

The GDPR does not require a DPIA to be carried out for every processing operation which may result in risks for the rights and freedoms of natural persons. The carrying out of a DPIA is only mandatory where processing of personal data is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35 GDPR). The GDPR provides (a non-exhaustive list of) some examples of processing that would fall into this category and supervisory authorities are tasked with publishing a list of the kind of processing which are subject to the requirement for a DPIA. Based on guidance from the regulators to date, the following should be taken into account when determining is processing “high risk” and therefore requiring a DPIA.

The DPIA must be performed if the Company plans to carry out one or more of the following:

  1. Evaluation and scoring (including profiling and predicting), especially concerning a data subject’s performance at work, economic situation, health, personal preferences, reliability or behaviour, location or movements.

  2. Automated decision-making with legal or similar significant effects - Is a decision made by automated means without any human involvement? An example would be an online decision to award a loan or a recruitment aptitude test that uses pre-programmed algorithms and criteria. 

  3. Systematic monitoring - including through a publicly accessible place on a large scale. For example, using a camera to monitor driving behaviours on a road.

  4. Sensitive data or data of highly personal nature – this includes special categories of data as defined in Article 9:

    • racial or ethnic origin;

    • political opinions;

    • religious or philosophical beliefs;

    • trade union membership;

    • data concerning health;

    • data concerning a person’s sex life or sexual orientation;

    • genetic data;

    • biometric data;

    • as well as criminal data as defined in Article 10. An example would be a hospital keeping patient medical records or an organisation keeping offender’s details.

  5. Data processed on a large scale – while the term ‘large scale’ is not defined, the regulators recommend the following is taken into account: (a) the number of data subjects concerned; (b) the volume and range of data been processed; (c) the duration and permanence of the processing; (d) the geographic extent of the processing activity.

  6. Datasets have been matched or combined – for example, two or more data processing operations performed for different purposes and/or by different data controllers been combined in way that would exceed reasonable expectation of the data subject.

  7. Data concerning vulnerable data subjects – For example children are considered as not able to knowingly oppose or consent to processing of personal data. Patients, elderly people and asylum seekers would also be considered vulnerable data subjects.

  8. Innovative use or applying technological or organisational solutions – for example combining use of finger print and face recognition for improved physical access control, using a video analysis system to single out cars and recognise licence plates.

  9. When processing prevents the data subject from exercising a right or using a service or a contract – for example, processing a public area that people passing cannot avoid or processing that aims to refuse data subjects access to a service or contract (bank screens its customers against a credit reference database in order to decide whether to offer a loan).

In cases where it is not clear if a DPIA should be carried out, the guidance from the regulators is that a DPIA should be carried out as it is a useful tool to comply with GDPR. In all cases the decision whether the DPIA should be carried out is taken by the Data Protection Officer.

Step 2: Describe the Processing in a Systematic Way

Describe how and why the Company plans to use the personal data. The description must include “the nature, scope, context and purposes of the processing”.

The nature of the processing

This is what was planned to do with the personal data. This must include:

  • how you collect the data;

  • how you store the data;

  • how you use the data;

  • who has access to the data;

  • who you share the data with;

  • whether you use any processors;

  • retention periods;

  • security measures;

  • whether you are using any new technologies;

  • whether you are using any novel types of processing;

  • which screening criteria you flagged as likely high risk.

The scope of the processing

This is what the processing covers. This must include:

  • the nature of the personal data;

  • the volume and variety of the personal data;

  • the sensitivity of the personal data;

  • the extent and frequency of the processing;

  • the duration of the processing;

  • the number of data subjects involved;

  • the geographical area covered.

The context of the processing

This is the wider picture, including internal and external factors which might affect expectations or impact.

This might include, for example:

  • the source of the data;

  • the nature of your relationship with the individuals;

  • the extent to which individuals have control over their data;

  • the extent to which individuals are likely to expect the processing;

  • whether they include children or other vulnerable people;

  • any previous experience of this type of processing;

  • any relevant advances in technology or security;

  • any current issues of public concern;

  • whether you have considered and complied with relevant codes of practice.

The purpose of the processing

This is the reason why it is needed want to process the personal data. This must include:

  • the Company‘s legitimate interests, where relevant;

  • the intended outcome for individuals;

Step 4: Identify and Assess Risks

Identify the potential risks that may arise.  Consider the potential impact on individuals and any harm or damage that might be caused by your processing – whether physical, emotional or material. In particular look at whether the processing could possibly contribute to:

  • inability to exercise rights (including but not limited to privacy rights);

  • inability to access services or opportunities;

  • loss of control over the use of personal data;

  • discrimination;

  • identity theft or fraud;

  • financial loss;

  • reputational damage;

  • physical harm;

  • loss of confidentiality;

  • re-identification of pseudonymised data;

  • any other significant economic or social disadvantage.

Step 6: Identify Controls and Actions

Against each risk identified, the options should then be considered for reducing that risk. Identify the current controls (how you currently manage the risk) and what further actions you will take to reduce the impact/likelihood and mitigate the risk.  For example, some actions and controls that could be implemented are:

  • deciding not to collect certain types of data;

  • reducing the scope of the processing;

  • reducing retention periods;

  • taking additional technological security measures;

  • training staff to ensure risks are anticipated and managed;

  • anonymising or pseudonymising data where possible;

  • writing internal guidance or processes to avoid risks;

  • adding a human element to review automated decisions;

  • using a different technology;

  • putting clear data sharing agreements into place;

  • making changes to privacy notices;

  • offering individuals the chance to opt out where appropriate;

  • implementing new systems to help individuals to exercise their rights.

This is not an exhaustive list, and you may be able to devise other ways to help reduce or avoid the risks.

Step 7: Document Results

You should then record:

  • what additional measures you plan to take;

  • whether each risk has been eliminated, reduced, or accepted;

  • the overall level of ‘residual risk’ after taking additional measures;

  • whether the Supervisory Authority needs to be consulted.