A lot of the angst can derive from a simple misunderstanding; a DPIA is a risk assessment but not primarily to the risks your organisation faces. It focuses on the risks to the people whose data you will be using. That said, there’s also a need to consider the risks your organisation could face, for example if a breach occurs. Such risks could include reputation damage, regulatory fines and even loss of business, but these can arise out of not getting the first part right. While organisational risk is reasonably well understood, it’s the privacy risks that often cause the most difficulty.
Don’t get too worried. The beginning of the process is simply working out whether you need a DPIA at all. This can be decided through a number of screening questions which are in the GDPR itself and have been added to by supervisory authorities and the Article 29 Working Party, an EU advisory body now replaced by the European Data Protection Board. The screening questions are relatively straightforward at first glance, but do require some thought. For example, the GDPR asks: “Will the processing involve special categories of data… on a large scale?” Let’s say your plans include processing some health data - but is this large scale? Well, that depends. There is no official definition of ‘large scale’ but it can be understood by looking at what type of health data is in scope: either serious medical conditions or the last time you took a day off sick and why? Is it going to be a significant number of data subjects, such as in the millions? Or maybe not a large number but a relevant proportion such as over half of the town’s residents?
At this point, and before it gets too confusing, I’d like to
introduce you to Sam, the man (or woman) in the street. They’re used in legal
and statistical discussions to represent the person who sits at the top of the bell
curve – average, ordinary, your everyday Joe (or Jill). Sam is the person whose
personal data you’re thinking of processing. For every screening question, ask
yourself “what would Sam think?”
Sam doesn’t have a problem with your use of the personal data you’re thinking about using but might get upset if you used it to decide whether they should pay a higher insurance premium. They’re happy for you to have that information as the reason for its use is understood and acceptable but would be horrified if a breach occurred and their friends and neighbours could read their information online.
If there’s something you think Sam would be worried about, then it’s probably time to look at the full DPIA. Identify the concern and what you can do to make Sam happy. It might be additional security controls to help prevent breaches, reducing the amount of sensitive data you need to use, restricting who can access it, or making it clear you’ll delete it the minute you no longer need it. Whatever will make Sam smile again is what you need to put into place. Don’t know a Sam? The DPIA process encourages you to consult with others including the data subjects themselves. There are plenty of Sams out there. Then there’s only one piece of the puzzle missing, your Data Protection Officer, or on-call expert, will be able to guide Sam in making informed decisions as they know the law and, more importantly, have experience in what can and does go wrong.