Written by Isabela Guarino Tancredo, Privacy and Data Protection Analyst at Palqee Technologies
If you are part of a business that develops products, services, or that undertakes activities that imply the processing of personal data, you are probably aware that, according to the obligations imposed by the privacy regulations, there are plenty of technical and administrative measures your company must take to fulfill your data protection compliance obligations, especially considering the privacy Accountability Principle, such as the performing of a Data Protection Impact Assessment — DPIA.
As your company takes action to perform a DPIA and gets a better understanding of the regulatory obligations prescribed by the GDPR, CCPA, and LGPD Privacy Regulations, some questions may arise.
With the objective of helping businesses thrive in privacy compliance, here are some of the most common questions we get about the DPIA.
What is the Accountability Principle?
In legal terms, the accountability principle means the different obligations that Controllers and Processors have to comply with, to show and evidence their compliance with the data protection laws and regulations in front of the national Data Protection Authority — DPA - their stakeholders, data subjects, and the general public.
This principle compels companies to keep records of their activities involving the treatment of personal data while being accountable and liable for any damage they may cause to the individual’s freedoms and data privacy rights.
One of the most important mechanisms imposed by the law framework to evidence compliance is certainly performing a Data Protection Impact Assessment, the DPIA, brought to companies by article 35 of the GDPR and article 5, XII of the Brazilian LGPD.
What is a Data Protection Impact Assessment or DPIA?
The DPIA is a process that data processing companies need to perform to systematically assess and identify the data protection risks and impacts that could result from the products they offer and the services they provide.
In practical terms, the DPIA’s final deliverable usually takes the form of a digital or physical document crafted after assessing the existing risks, impacts, damages, and breach mitigation measures adopted by the company.
Who is responsible for the DPIA?
Usually, the responsible person for identifying the need to perform the Data Protection Impact Assessment and raise awareness among the company about the DPIA is the company’s Data Privacy Officer — DPO — , whose role is to act as the guardian of the company’s data privacy compliance program and to guarantee its success.
After the Controller’s workforce or project owners conduct the DPIA, assess the risks, and fill in the necessary record documentation, the Data Protection Officer will assess whether or not enough steps have been taken to preserve privacy rights and security and make recommendations on the steps that still need to be implemented to finally reduce the residual data protection risks.
Finally, the board or project team that is developing the new product or service will opt to follow the DPO’s recommendations to minimize the risks and eventual damage or go ahead knowing the risk, depending on the company’s policies, values, and interests.
Nevertheless, for the DPIA’s scope to be broader and multidisciplinary, it is strongly advised that all of the stakeholders who take part in this new project or process and in treating personal data are involved in the performance of the assessment.
In that sense, by combining both the technical information security expertise and the knowledge of risk management and regulatory frameworks, it is more likely that the DPIA will comprehend all the possible risks within the company and that the chances of a breach are reduced.
When do businesses need to perform a DPIA?
According to the regulations, both Controllers and Processors must perform a Data Protection Impact Assessment before they start any new project of product and service that, by nature, is likely to create high risks to the individual’s privacy rights or before performing any high-risk personal data activities.
For instance, activities considered to be high-risk include:
Systematic and extensive profiling — the creation of an individual profile based on the collected personal data that produces a negative obligational or financial impact, or that significantly affects the individual;
Processing activities that deal with sensitive personal data — information about race, religious or political creeds, genetics, health, criminal records, and others — on a large scale and
The systematic monitoring of public space on a large scale, such as using closed-circuit television systems (CCTV), other video surveillance in public areas, and even drones.
Also, in the terms of the Brazilian LGPD, a company must also perform a DPIA whenever the National Data Protection Authority — NDA — requires it for surveillance purposes.
What must the DPIA contain?
Although the Data Protection Impact Assessment’s content may vary widely from company to company and depends on the uniqueness of each business’ core activities, for a DPIA to accomplish its accountability purpose, it must have at least the following information:
The description of the data processing operations that may generate risks for the individual’s rights;
The purpose of processing personal data, as well as the necessity and proportionality of carrying this activity;
The legal bases that permit the company to perform personal data treatment activities, including the Controller’s legitimate interests;
The description of the risks that the given activity presents to the rights and freedoms of individuals, as well as the possibility of each risk actually happening;
The degree of damage each risk would cause to the rights and freedoms of individuals and the company itself;
The technical and administrative measures the company already has in place to prevent the risks from becoming a reality, such as safeguards, information security measures, policies or workforce training, and
The company’s mitigation plan in case of a data incident, such as measures to recover damaged personal data and a procedure to inform the DPA and the subjects about the breach in a reasonable period of time.
Why is performing a DPIA important?
Performing a DPIA enables companies to act upon the identified risks, their possible damages and take appropriate actions to prevent or, at the very least, minimize the impacts on the individual data privacy rights.
Having a DPIA performed when necessary is mandatory for achieving privacy compliance, avoiding the imposing of high administrative penalties by the DPA, the filling of individual compensatory claims against the company, and also protecting the company’s brand reputation.
Furthermore, companies may also use the DPIA documentation as a means of proof that they are operating in conformity with the privacy Regulations against the DPA’s surveillance.
Conclusion
Finally, for businesses to demonstrate accountability through the performance of a Data Protection Impact Assessment, they must as well achieve a culture of data protection within their organization.
This can include, for example, developing privacy policies, establishing good privacy standards and practices within the corporate operations, engaging the workforce in every department that takes part in the data flow, and, ultimately, making business decisions in conformity with the creation of an exponential privacy-friendly corporate culture.
Start your GDPR/LGPD Compliance journey today with Palqee The #1 platform to operationalise Privacy and Data Governance. |
Sources:
International Association of Privacy Professionals (IAPP). European Data Protection Law And Practice. Portsmouth, United States. Hyde Park Publishing Services. Second Edition. 2019.
Comentarios