The Data Privacy & Tailored Risk Blog

Why and How, our software now has a Data Protection Impact Assessment Feature. - PrivIQ

Written by Tai Chesselet | Oct 9, 2020 4:00:00 AM

What is a DPIA?

A DPIA (Data Protection Impact Assessment) is executed by an organisation to analyse, identify and mitigate risks to personal information held by them affected by a project, a change or a new scenario in their organisation.

Personal data and sensitive personal data held by organisations are dynamic. Organisations are constantly changing how they perform their tasks in order to be able to respond to the market, improve efficiencies and meet the requirements of their stakeholders.

A DPIA must be performed for any changes to an organisation that results in high risk to individuals. In assessing the risk it is essential to consider the impact on individuals. So for example a business installing CCTV cameras in its warehouses for security purposes would be affecting the privacy and personal information of all who enter the warehouse.

Where risks cannot be mitigated, the organisation must consult the regulatory authority prior to processing the information.

Before embarking on this development, we:

  • looked at a number of DPIA implementations,
  • reviewed the advice as offered by various regulatory authorities
  • spent a significant amount of time in the design phase.

Building this kind of workflow in terms of coding, where one has to consider it being available in multiple languages with a complex user interface is very tricky, I do hope we have got it right.

Our new DPIA service is available in all of our packages, as part of the package, there is no extra cost.

This is how we have implemented it.

A look at our DPIA Service, which is included in all our subscriptions.

We wanted to offer an improved DPIA service from what is available at the moment on the market. This is a first look at it. We hope you can see value in it.

Kanban-Style Dashboard

A key design principle we use is to attempt to show clean, clear screens where information is not cluttered and is easily understood.

We used the Kanban concept (See Trello) screen for managing DPIA’s where they flow through various stages during their life-cycle. In this case the moving from one phase to another is controlled based on information entered and verified.

In its lifecycle a submitted DPIA may move between stages in a nonlinear way for example:

Draft -> Review -> Editing -> Submitted -> Editing -> Submitted -> Complete.

So in this case above the reviewer sent it back for editing, the DPIA was then re-submitted.

Overview the DPIA Feature Dashboard.

In this screen, the main parameters of the DPIA are outlined. The key data points are the project due-date, status, a full description of the project as well as the owners, reviewers and approvers of the specific DPIA to be submitted.

Screening questions to determine if a DPIA is required.

In this screenshot, we are trying to make it easy for organisations to determine whether a DPIA is required or not. There are a number of criteria which if met mean that a DPIA is not required, these include amongst others:

  • For physicians and healthcare professionals, where the regular processing of patients personal data is not to be considered large-scale.
  • For lawyers processing clients’ personal data.
  • Where processing operations appear on the excluded list provided by the supervisory authority.
  • and more…We would record the DPIA submitted, but it would not require a risk analysis and it would move to a “to be approved” status.

Purpose, processing justification and ensuring individual’s rights.

The DPIA is intended to be prospective and proactive. It should act as an early warning system by considering privacy and compliance risks, both in the initial project design and through to completion.

This area is the meat of the DPIA. It is where one defines what the purpose of the project is, the system assists in defining the type of project. Then it enables free-format text defining the purpose.

Throughout the DPIA unlimited notes and files can be contextually added to the specific DPIA in a specific context. Therefore all working documents and notes can be managed in one place and kept for review.

The processing justification forces compliance by ensuring one can only select valid lawful bases, that one must articulate what makes the purposes ‘specific, explicit and legitimate’. It also reveals any new purposes and personal data that could influence the risk analysis. We enable the addition of new processing purposes as well as personal and sensitive information types, but these are not eventually integrated to the data mapping, this must be done manually once the project has been completed.

Finally one needs to determine and demonstrate whether the necessary controls have been implemented to peoples’ rights are protected and that they are able to exercise those rights.

At this point the DPIA is submitted for approval.

Interim approval by an assigned approver.

The approver can view the entire DPIA, all the attached notes and files and then determine whether to approve the DPIA or to send it back to the owner for correction or addition of information.

There are two stages to the approval process. The first is the approval of the first 4 tabs of the DPIA. Once approved by the delegated approver as per the screen above, the DPIA is sent back to the owner. The risks and mitigation tab is then activated and the second round of approval will be enabled.

Risk mitigation measures are defined for identified risks.

Once the interim approval has been granted, the final stage is to add any number of identified risks:

  • their severity level
  • the likelihood of them occurring
  • and their impact.

One then indicates the mitigation measures to put or to be put into place to mitigate the risk. Supporting documents and notes can be added here.

The DPIA is then sent to the approver for final approval as per the screen below.

DPIA Owner then sends the fully completed DPIA to the Supervisory Authority.

The completed, mitigated and approved DPIA is then sent to the supervisory authority for approval.

When received, the project can move on to the next phase or should the supervisory authority send it back for further work, it can be re-opened for editing and then entire approval process can be re-initiated.

Including all the key features

Available already in our software, this is how the DPIA process is outlined. The key features of this part of our GDPR compliance service are:

  1. It is fully collaborative, with a flexible workflow built in, with the ability to define multiple roll-players.
  2. The system guides one to fully complete a valid, by the book DPIA and helps to determine if it is required.
  3. The DPIA projects are clearly phased so one can see at a glance what stage each one is in.
  4. Any number of notes and files can be attached to a DPIA providing a valuable repository of all working notes and required artefacts.