What is a DPIA and when is it needed in the Digital Health Sector?
One of the many new concepts introduced by the GDPR - the EU General Data Protection Regulation - is the Data Protection Impact Assessment (DPIA), regulated at art. 35. The DPIA can be defined as a process designed to:
"[...] describe the processing, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data (by assessing them and determining the measures to address them)".[^1]
Five "Ws" and an "H" on DPIA
Why
A DPIA is one of the processes identified to demonstrate compliance with GDPR data protection dispositions. It is different from a Privacy Impact Assessment (PIA), which helps you demonstrate data privacy compliance to all stakeholders involved in the privacy process, and from a Security Risk Assessment, which is a tool designed to verify and implement the correct data security measures through an accurate checklist.
The DPIA follows a risk-based approach: by analyzing the nature, scope, context, and purpose of your processing you will be able to show how much it impacts on data protection and, more generally, on the rights and freedoms of EU citizens.
Who
The DPIA can be carried out by any person/organization inside or outside the business if explicitly appointed by the Data Controller. However, the Data Controller (i.e. the entity offering the service to end-users) remains the subject responsible and accountable for the DPIA. He/she can be assisted by DPOs or Data Processors.
Where
GDPR applies to all companies offering services to EU citizens. The company doesn’t need to have a legal entity in the EU, the only valid criteria are whether they process or not EU citizens data.
When
The DPIA is mandatory where the processing involves sensitive data, or in other cases that are “likely to result in a high risk to the rights and freedoms of natural persons”.[^2] In order to understand if your processing is likely to result in a high risk, you need to describe the nature, scope, context, and purpose of it. Furthermore, the art. 29 Working party identified some situations[^3] where processing is always resulting in a high risk (please read the footnote for a deepening). Remember that the higher the risk, the higher could be fines imposed by authorities.
Furthermore, the DPIA is a process which needs to be carried out before the processing of data is started. It is the very first instrument thanks to which you will be able to fulfill the Privacy by Design principle, that is to consider privacy and data protection implications from the very beginning of the design of your digital health service product.
What
A DPIA must be performed for each singular processing activity, or only once when multiple processing are similar in terms of the risks presented (e.g. when the same technology is used in gathering the data). Remember that the DPIA should preferably be a document ready to be shown and published.
The GDPR sets out[^4] some minimum guidelines on what a DPIA must compulsorily contain:
- A description of the processing operations
- A description of the purposes of the processing;
- An assessment of the necessity and proportionality of the processing
- An assessment of the risks to the rights and freedoms of data subjects;
- A description of the measures envisaged to address the risks and demonstrate compliance with the GDPR.
How (Chino.io can help you)
When sensitive data are being processed, a DPIA is always needed. Hence, the key point is to understand whether you collect sensitive data or not.
Once you have correctly understood what type of data you collect, we at Chino.io can help you tackle Data Protection Impact Assessments thanks to our useful documentation. We can also help you assess the different risks and describe the different security measures envisaged to address those risks.
For further information, do not hesitate to contact us at info@chino.io