One of the many new concepts introduced by the GDPR - the EU General Data Protection Regulation - is the Data Protection Impact Assessment (DPIA), regulated at art. 35. The DPIA can be defined as a process designed to:
"[...] describe the processing, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data (by assessing them and determining the measures to address them)".
Five "Ws" and an "H" on DPIA
A DPIA is one of the processes identified to demonstrate compliance with GDPR data protection dispositions. It is different from a Privacy Impact Assessment (PIA), which helps you demonstrate data privacy compliance to all stakeholders involved in the privacy process, and from a Security Risk Assessment, which is a tool designed to verify and implement the correct data security measures through an accurate checklist.
The DPIA follows a risk-based approach: by analyzing the nature, scope, context, and purpose of your processing you will be able to show how much it impacts on data protection and, more generally, on the rights and freedoms of EU citizens.
The DPIA can be carried out by any person/organization inside or outside the business if explicitly appointed by the Data Controller. However, the Data Controller (i.e. the entity offering the service to end-users) remains the subject responsible and accountable for the DPIA. He/she can be assisted by DPOs or Data Processors.
GDPR applies to all companies offering services to EU citizens. The company doesn’t need to have a legal entity in the EU, the only valid criteria are whether they process or not EU citizens data.
The DPIA is mandatory where the processing involves sensitive data, or in other cases that are “likely to result in a high risk to the rights and freedoms of natural persons”. In order to understand if your processing is likely to result in a high risk, you need to describe the nature, scope, context, and purpose of it. Furthermore, the art. 29 Working party identified some situations where processing is always resulting in a high risk (please read the footnote for a deepening). Remember that the higher the risk, the higher could be fines imposed by authorities.
Subscribe to Chino.io newsletter
Furthermore, the DPIA is a process which needs to be carried out before the processing of data is started. It is the very first instrument thanks to which you will be able to fulfill the Privacy by Design principle, that is to consider privacy and data protection implications from the very beginning of the design of your digital health service product.
A DPIA must be performed for each singular processing activity, or only once when multiple processing are similar in terms of the risks presented (e.g. when the same technology is used in gathering the data). Remember that the DPIA should preferably be a document ready to be shown and published.
The GDPR sets out some minimum guidelines on what a DPIA must compulsorily contain:
- A description of the processing operations
- A description of the purposes of the processing;
- An assessment of the necessity and proportionality of the processing
- An assessment of the risks to the rights and freedoms of data subjects;
- A description of the measures envisaged to address the risks and demonstrate compliance with the GDPR.
How (Chino.io can help you)
When sensitive data are being processed a DPIA is always needed. Hence, the key point is to understand whether you collect or not sensitive data. You can easily assess that by downloading our free Decision Tree, a 5. min test where you will be able to understand the different implications related to your processing.
Once you have correctly understood what type of data you collect we at Chino.io can help you tackle Data Protection Impact Assessments thanks to our useful documentation. We can also help you assess the different risks and describe the different security measures envisaged to address those risks.
The ultimate guide on GDPR and HIPAA compliance
See Art. 29 WP, WP 248, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679. ↩︎
See art. 35, and  GDPR. ↩︎
The situations identified by the Art. 29 Working Party which should always be considered as "high risks" are when: a) Evaluation, scoring or predicting of EU citizen's data are put in place (this case includes profiling techniques); b) Special categories of data as defined in art. 9(1) GDPR (e.g. health data) are being processed on a large scale; c) There is a systematic monitoring, namely a processing used to observe, monitor or control data subjects, including data collected through “a systematic monitoring of a publicly accessible area” (see art. 35(c) GDPR); d) Data are being processed on a large scale. This is one of the most relevant cases. e) Datasets are being combined (e.g. from two or more processing operations); f) Data concerning vulnerable subjects are being processed (e.g. natural persons unable to consent to, or oppose, the processing of his or her data); g) Innovative use or applying technological or organisational solutions, such as Internet of Things applications; h) When Data are being transferred across border of the EU. ↩︎
See art. 35(7) GDPR. ↩︎