A guide on DPIA - how to do it and when to consult with the supervisory authority

We recently had the pleasure of moderating a webinar on Data Protection Impact Assessment, and here we present the highlights of this online event. 

Our guests: Daniel Vinerean, Senior Coordinating Lawyer, D&B David și Baias and Robert Girdoc, Senior Manager, PwC Romania, member of the CEE Cybersecurity Team. Event host and moderator: Mihai Ghiță, CPO and co-founder of Sypher.  

Let’s dive in. 

What is a DPIA and when should it be carried out? 

Data Protection Impact Assessment, or DPIA for short, is defined in the GDPR regulation more in terms of when it is required. 

But what is a DPIA?

We can define it as a complex process aimed at systematically analysing processing activities, identifying the risks of these activities and determining risk mitigation measures. In particular, the DPIA helps to comply with the accountability principle of the GDPR Regulation and demonstrates compliance or adherence to the applicable legal requirements for the protection of personal data. 

The role of the DPIA is not to eliminate risks, as it is not possible to eliminate risks completely, but to determine the level of risk that the controller is willing to accept in relation to the benefits that the processing activity can bring. It is also a tool for driving change by helping to reduce the risks to which personal data are exposed. 

What else does the Regulation say?

Such an assessment is required in the case of high-risk processing. Here are some examples of such processing mentioned in the GDPR Regulation: 

• Use of automated means of data processing, including profiling; 
• Processing of special categories of personal data, large-scale personal data and data relating to criminal convictions; 
• Large scale systematic monitoring in publicly accessible areas. 

There is also guidance from the European Commission to help determine the 'high risk' component. 

In addition, national authorities may determine additional situations where such assessments may be required. 

Who is responsible for carrying out the DPIA, and what is the role of the C-suite in this process? 

On the one hand, the organisation's management has overall responsibility for ensuring compliance with data protection legislation, including carrying out this impact assessment where necessary. The executive also provides the necessary resources to carry out this analysis, approves the DPIA plan and the final results to be implemented. 

On the other hand, the DPO acts as a liaison between management and operational teams, providing advice and assistance on data protection requirements. The DPO explains to management the complexity of data protection issues and the importance of this compliance process. 

What else does the DPO do?

• Coordinates the process of conducting the analysis ( note: coordinates, not actually conducts the analysis); 
• Facilitates the involvement of relevant teams and stakeholders; 
• Monitors, updates the DPIA process in line with changes in legislation or in the way data is processed. 

How is the DPIA carried out? What does the process look like?

The GDPR Regulation, Article 35, tells us that this data protection impact assessment process must include: 

• A systematic description of the processing operations and their purposes. 

The people best placed to provide such a description are the process owners, the heads of departments, the experts who know exactly what is going on and what they are trying to achieve with the processing activity in question. 

• Determining the legal basis on which this processing activity is to be carried out; 

• Assessing the necessity (from the controller's perspective: why does the company want to do this processing?) and proportionality (the impact on data subjects). 

It's important to balance the rights and freedoms of data subjects against the interests pursued by the controller, and to determine whether such an activity can be justified and carried out in the future. 

• Identifying and quantifying the risks that may affect the personal data collected and processed as a result of carrying out the activity. The next step is to define the risk mitigation measures. 

Those who manage IT systems or who are responsible for corporate governance within the organisation will also have a say in these elements. 

The conclusions are, of course, complemented by the input and recommendations of the DPO, the actual risk analysis and the management decision on the processing activity. 

How does the risk assessment process work? 

How you assess risk is really the big question and the essence of this type of analysis. It is important to remember that risks should be considered in the light of the operator profile. 

It is best to assess risks numerically and consider two components: probability and impact. 

Probability can also be assessed according to the organisation's history: whether there have been similar situations that may represent the materialisation of the identified risk, whether they have occurred with a certain frequency, etc. 

It is recommended to use a scale from 1 to 4, reflecting the likelihood of the risk occurring: 1 being negligible, 2 = limited, 3 = significant, up to 4 = maximum. 

The impact should be analysed on the same scale. However, here we are thinking of situations where the data subjects may be affected financially, in terms of health, reputation, where legal or contractual obligations are involved, or other situations that may have an impact on the data subjects. 

The identified risk is now quantified by multiplying the two values - the likelihood of occurrence and the impact it would have. In essence, a risk assessment matrix is constructed with these values. It is then recommended to establish thresholds - e.g. 1-6, 7-11, etc. - and to define risk mitigation and intervention measures for each of these thresholds. 

A prioritisation process can also be used here, with high impact activities naturally taking precedence over others. 

In some cases, it may also be advisable to 'layer' risks and take action in a phased manner, by area, if, for example, the risk mitigation measures to be applied require costly solutions or multiple resources. 

Another important aspect:

When we identify risks, it's good to identify the controls we put in place to mitigate them. For this reason, it is also important to establish some "key risk indicators" to monitor the effectiveness of these controls. 

When is it necessary to consult with the supervisory authority? 

The analysis described above identifies a number of more or less high risks. Risk mitigation measures can be implemented so that the level of risk is lowered. 

However, there are also situations where the risk cannot be reduced to an acceptable level for the organisation, but it is still desirable to carry out the activity in question. 

This is when consultation with the Authority is required. 

The Authority will be consulted on the processing activity in general, but also on possible risk reduction measures that can be implemented. 

Who makes the decision to consult the authority? 

The role of the DPO is to inform and recommend management to consult the Authority. But the decision lies with the executive team. It is the company, the operator, that is required to implement both the activity and the risk mitigation measures. 

Once we have completed the DPIA, what do we do with it? 

In any case, the resulting document should not remain a mere exercise. First and foremost, we need to ensure that the risk mitigation measures identified in this analysis are implemented effectively and on time. 

We should also ensure that we regularly review this analysis to check that it is still relevant and up to date - both from a legislative point of view and for the analysis itself. 

How often should we review the DPIA? 

At least annually, and whenever there are significant changes to the data processing processes in the context of legislation, or when there are significant changes to the digital infrastructure. 

We also take into account the regular monitoring of the risk controls that we talked about earlier, to make sure that they are working as they should and that they are not becoming redundant. 

• Going back to the purpose of the DPIA, it is important to:  
• Communicate the results of the analysis to all levels of the organisation,  
• Ensure that all stakeholders are aware of the risks and safeguards. 
• Organise training on compliance in general or more specifically on the implications of the review.  
• Implement continuous monitoring of processing processes to ensure that safeguards are effective and to identify new risks or changes in the operating environment. 

Tip: Keep the DPIA documentation and related records to demonstrate compliance in the event of possible audits or requests from authorities. 

In conclusion, the DPIA should not "sit in a drawer" but should actively improve data protection. It is therefore necessary to formalise the whole process, possibly in the form of a policy, in order to ensure the necessary recurrence of review.  

Most importantly, the DPIA should not remain a theoretical exercise, but a practical tool to continuously improve compliance in the long term. 

What are the benefits and implications of DPIA beyond GDPR? 

A properly conducted DPIA demonstrates an organisation's commitment to data protection and helps to improve its reputation with customers and partners. 

Another aspect worth mentioning is the proactive approach to risk, which allows potential problems to be identified and remedied before they become critical or seriously affect data subjects or systems. After all, we are talking about data in general, not just personal data. 

The DPIA can also help us to have a control plan in the context of other legislation, such as the NIS Cyber Security Act in the case of essential service operators. 

Clearly, the DPIA is a powerful tool that helps to embed data protection in the DNA of organisations and to responsibly manage the risks associated with the processing of personal data and beyond. 

What do we do when we have a lot of DPIAs to manage?

To manage many DPIAs, including everything related to documentation and especially periodic reassessments, it is recommended to use specialised software applications such as Sypher, which help to keep documentation up to date, avoid redundancy - you won't update the same information in 10 places, and last but not least, ensure continuity in case of staff changes and more. 

For more details on the DPIA, practical examples of how risk assessments or activities have required consultation with the authority, potential conflicts of interest, and to hear live questions from the audience, watch the full webinar recording (in Romanian).