DPIA: 5 Situations Where May (or May Not) Need One
A Data Protection Impact Assessment (DPIA) is a report designed to limit the threats to an individual’s right in high-risk processing situations. It’s a complicated undertaking, so it’s helpful to avoid if it’s not actually necessary. However, as you might imagine, this broad definition has led to some controversy over which situations merit one. (If you’re in the financial industry, it may seem as though you need one for nearly every project, but thankfully, this is not the case.) We’ll look at how the DPIA works and when to implement it.
How Does the DPIA Work?
The GDPR explicitly requires all controllers to implement protection in order to comply with its regulations. (A controller could be any company, organisation, or even individual.) However, the DPIA is not needed in every scenario — only when there is a high risk to the rights and freedoms of individuals. The question of high risk can be a murky one though, which is why the GDPR attempts to clarify with the following parameters:
- Systematic evaluation of personal aspects of the individual (this includes profiling)
- Processing sensitive data on a large scale
- Systematic monitoring of the public on a large scale
A DPIA will include descriptions of how the data is being processed, what types of risks are associated with the processing, and how those risks will be averted. The point is not to eliminate all risks, only to limit wherever possible. Article 29 Working Party (WP29) provides additional guidelines meant to help both DPOs and controllers comply with the GDPR, including best practices and examples.
Both the GDPR and WP29 do help us to understand more about when a DPIA is necessary, but there is still some ambiguity. For example, what exactly constitutes a large scale? How long does a controller need to process data before it crosses the line to systematic? If you’re following the best practice recommendations of the WP29, you should be conducting a DPIA if there is any uncertainty after taking into account both the need for personal data and the extent of the project.
There is also some leeway when it comes to DPIAs. Some projects may meet some or even all of the criteria described above and still be considered unlikely to result in high risk. In this case, the controller needs to justify and document why they did not conduct the report. In other cases, a project may still be considered high risk even after the controller does everything in their power to prevent risks. This does not necessarily mean that the project needs to be stopped in its tracks, only that additional consultation may be needed from a supervisory authority to justify its completion.
The main goal is to do an in-depth review of the data you’re processing before deciding exactly how to process it. You need to think through common scenarios and how the circumstances might impact the rights of the people involved. Once the risks have been assessed and addressed, you’ll need to then record and monitor the outcomes and adjust your approach as needed.
Monitoring of Employees: DPIA Likely Needed
Many companies choose to systematically monitor their employees for quality assurance purposes. Data controllers may end up reviewing everything from an employee’s internet activity to the amount of time they spend completing certain tasks. This is within a company’s rights, but it will require a DPIA because it involves highly sensitive subjects as well as ongoing oversight.
During the DPIA, controllers should keep in mind the inherent freedoms of the individual for privacy. While they may be at work, they’re also entitled to some degree of autonomy over their information.
If an employee is searching for facts about a certain medical condition during their lunch hour (and they’re entitled to use the computer for personal purposes), the monitoring of their activity may constitute a violation of the GDPR. A DPIA would be needed to eliminate the possibility of discrimination or the unjust sharing of information.
National Database for Fraud Prevention: DPIA Likely Needed
The financial services industry has every incentive to monitor for fraud whenever and wherever it occurs. If you’re offering a new fraud detection service for all clients, it will most likely mean monitoring their information on a daily basis and employing automation software to spot red flags. You’ll be looking for any anomalies that signal a crime, but you need to think about how clients will be impacted by the gathering of information.
Certain monitoring criteria may stray into a gray area, creating conflicts that need some finesse to resolve. Because you’re scoring the data, using algorithms to detect legal matters, and working with sensitive data, the DPIA is there to help resolve delicate situations before they even arise.
This will also allow you to go through every step of the fraud system you implement, including which types of data to collect, how to train the staff to anticipate and manage risks, and what kinds of technology to use.
For this scenario, controllers should also consider how they can best anonymise their data whenever possible, creating internal guidelines to help employees process data and reduce retention periods.
Gathering Public Social Media Data for Profiling: DPIA Likely Needed
This situation is fairly clear-cut when it comes to the GDPR recommendations for a DPIA. You’re collecting potentially sensitive data and using it for the benefit of the company. For instance, a young professional who is looking for a new investment opportunity joins a public group on Facebook to seek advice.
If you’re using that information to profile the person in the market for a specific service, this could fall under an invasion of privacy. During a DPIA, you’ll cover the nature of the data, the volume and sensitivity of the data, as well as the duration of the processing. You’ll estimate how many data subjects will be involved, the geographic area you’ll be covering, and the frequency of processing.
Using a Mailing List to Send a Generic Flyer: DPIA Likely Not Needed
A financial services company does not need to complete a DPIA every time they use their data. If you’re sending out an advertisement to clients or potential clients advertising the start of a new service, this would not constitute a high-risk situation because there’s nothing that could be reasonably perceived as sensitive or private.
As an aside, GDPR requires fairness in processing for financial services. This means that companies cannot deny certain people information or target them with excessively costly products. If you’re using a general mailing list, you must ensure that the information you do send is reasonable for all those who receive.
Using Your Website for Advertisements to Potential Clients: DPIA Likely Not Needed
In the case of social media data harvesting, a financial services company would likely need a DPIA. However, if you’re using your own website, this is another matter. Profiling is a complicated topic from a privacy standpoint, but from the perspective of the GDPR, it is acceptable to profile clients who visit your site.
For instance, if a visitor was looking at a page about the terms of a loan, then you might display an advertisement to the same customer regarding your rates on another website. This could be considered a high-risk venture due to the evaluation of data, but because the profiling is limited and broad, it does not necessarily constitute a threat to the consumer.
Assessing Your DPIA
Your data processing is considered fluid, meaning your DPIA evaluations should be the same. As the scope of a project changes, you may decide that a DPIA is no longer necessary because the threat level has changed to low. Or you might decide that a project that was once considered low risk has now transitioned into a gray area. It’s considered good practice to regularly review your policies and update them when necessary (and always err on the side of caution).
Finding a Way
There is no single article or documentation that can provide all the legal advice or guidance you need to make these decisions. This is why so many financial services companies end up violating rules without even realizing it. When you’re assessing risk to the customer, it’s easy to discount privacy concerns in favor of putting an initiative into motion. A DPIA puts the matter front and center and prompts company leaders to have discussions with their DPOs about how to best protect their clients, employees, and the general public.
As we wind our way through COVID-19 and the introduction and use of contact tracing apps, all companies need to consider how privacy can be compromised in favor of urgency. While it’s important to fast-track certain solutions, it’s a slippery slope for some companies that can land them in serious hot water. It all boils down to addressing uncertainty or potentially controversial measures with your supervisory or legal team. A DPIA can go a long way toward preventing problems before they start. In addition to assessing risks in the report, implementing the right software solution across departments can help a financial services company maintain GDPR compliance without the hassle.