The European GDPR Regulation has introduced some new features regarding the impact assessment for privacy (DPIA). Let’s see in detail what it is and when it is mandatory with the new rules.
What is the Privacy Impact Assessment?
The impact assessment for privacy is the analysis and internal mapping of data that is carried out to identify potential risks associated with specific operations carried out on particularly sensitive personal data. This evaluation allows you to determine suitable measures to minimize the risks in these cases. For example, if a company wants to introduce a new type of automated data tracking it will have to carry out the assessment and introduce control and encryption systems that guarantee the security of personal data.
The GDPR Regulation provides for important economic sanctions in the event of violations relating to the impact assessment. These penalties can go up to € 10 million or up to 2% of the global annual turnover. For this reason, it may be useful to carry out an impact assessment in any case to take all appropriate security measures for the processing of personal data.
When the DPIA is mandatory
The impact assessment is mandatory only for specific treatments that may involve high risks for the fundamental rights and freedoms of individuals. The GDPR legislation has provided some practical guidelines to clarify this obligation. In particular, the DPIA is mandatory in the presence of at least two of the following conditions:
- evaluation or scoring treatments of users, including profiling
- automated decisions that produce significant legal effects (e.g. hiring, granting of loans, taking out insurance)
- systematic monitoring (e.g. video surveillance)
- processing of sensitive, judicial or extremely personal data (e.g. information on political opinions)
- large-scale processing of personal data (e.g. wide geographical scope, high number of subjects and volume of data with persistent duration)
- combination or comparison of data sets deriving from at least two treatments carried out for different purposes and / or by different owners, without consent (e.g. combination of Big Data)
- data relating to vulnerable subjects (e.g. minors or subjects with psychiatric pathologies)
- use or application of new technological / organizational solutions (e.g. facial recognition)
- treatments that could prevent you from exercising a right or making use of a service / contract (e.g. screening of a bank’s customers before granting a loan)
Here are some typical examples of personal data processing that involve the obligation of a privacy impact assessment:
- the bank that automatically processes customer financial risk data to assess the right to obtain a loan (points 2 and 9)
- the employer who replaces the accountant with a new management program to manage employee payrolls and introduces an automated process (points 4 and 8)
The impact assessment, on the other hand, is not mandatory when the treatments:
- they do not present a high risk to the rights and freedoms of individuals
- they have a context, purpose, nature and scope similar to those of a treatment on which a DPIA has already been made
- have already been subjected to verification by a supervisory authority before the entry into force of the GDPR and there have been no changes to the conditions (e.g. purpose)
- refer to EU or Member State rules or regulations for whose definition a DPIA was conducted
A typical example of the processing of personal data that does not involve the obligation is that carried out by the website owner who analyzes users’ purchasing habits to optimize their marketing campaigns. In this case, the DPIA is not mandatory as there are no high risks to fundamental rights and freedoms nor are there the conditions set by the guidelines.
How to carry out the privacy impact assessment
The DPIA must be performed before the start of treatment and must be reviewed whenever there are changes. It is the responsibility of the data controller to ensure that the DPIA is carried out. It can also be carried out by a person other than the owner (e.g. by the data controller or the owner’s representative). In any case, the owner remains responsible if it is carried out by third parties.
The GDPR guidelines do not provide for a standard procedure for carrying out the impact assessment. The best way to start is to start with the creation of the treatment register which guarantees a clear view of the treatments carried out. Furthermore, it is recommended to follow some guidelines:
- describe the treatments envisaged and the purposes of the treatment: establish the nature, scope of application, context and purpose of the treatments carried out by checking how personal data are recorded and managed
- evaluate that the treatments carried out are justified by a real need and that they are not treated for superfluous purposes
- verify compliance with the proportionality principle: the data controller’s interest in the processing must prevail over that of the data subject
- check that suitable measures have been determined to address risks and demonstrate compliance with regulations
- assess the risks to the rights and freedoms of data subjects and verify that they are adequately managed. For example, evaluating protection against the potential leakage or theft of relevant information
The French data protection authority has provided multi-language open source software (also in Italian) to help draft a privacy impact assessment in accordance with the law. The software was also promoted by the Italian Privacy Guarantor, it is free and freely downloadable by clicking here. The software offers a guided path to the implementation of the DPIA, according to the guidelines established by the GDPR Regulation.
How to manage privacy obligations withLexDo.it?
The adaptation to the new privacy rules requires a careful evaluation of the business activity. With LexDo.it you can receive a complete service to correctly and easily manage the privacy obligations of your business. You can get dedicated GDPR advice from an experienced lawyer with one of our comprehensive plans starting at € 99 + VAT. The professional will assess which requirements and documents apply to your specific case, advising you on how to proceed.
You can then create the privacy documents you need, included in our comprehensive plans. Find below a list of the documents you can create:
- Personal Data Processing Register: to collect all information relating to the management of personal data processed
In addition, the service includes 1 year of 100% online legal support to also create the other legal documents necessary for your needs (e.g. work or service contracts and terms and conditions for a website) and to request advice on each topic. legal. You will be able to describe your situation to an experienced professional who will guide you step by step in your specific case.
To speak to the seasoned professional, you can start with dedicated privacy advice.