A DPIA stands for "Data Protection Impact Assessment" and is a tool to identify privacy risks (prior to processing personal data) from a data processing operation, so that an organization can take appropriate measures to mitigate the risks.
A DPIA is also an important tool for demonstrating that the organization complies with the obligations of the AVG. When carrying out a DPIA, it is important to record the methodology followed and the results in a document. This allows you to demonstrate that you have conducted a proper DPIA if, for example, the Personal Data Authority requests it.
A DPIA is mandatory when there is high risk processing. Determining a high risk can be done using Article 35 of the AVG, the guidelines of the Personal Data Authority and the guidelines of the European Data Protection Board (EDPB, as successor to the Article WP29 working group). These guidelines will not be discussed further here.
High risk exists if, for example, a controller processes special personal data on a large scale, applies systematic and extensive assessment of personal aspects (profiling) or when matching or merging datasets.
Within the healthcare and education sector, 'high-risk processing' quickly becomes an issue because a lot of special or sensitive personal data of (vulnerable) people are processed. Think of patient records, or (live) streaming education.
There are also examples of high-risk processing within the business world. Consider the application of modern customer profiling technologies, the use of biometrics, the deployment of digital techniques and applications (BI - and analysis of data) and Artificial Intelligence.
Also, the recent launch of the corona App is a good example of an application where high privacy risks should be assessed in light of the principles of the AVG.
DPIAs play an important role in protecting the privacy of the natural persons involved in the processing. With a DPIA, you systematically identify all risks and consider what management measures can be applied to minimize the risks.
In practice, not all companies and institutions perform DPIAs (on time) yet. People often do not know when a DPIA must be carried out and it turns out afterwards, when the processing is already a fact, that a DPIA had to be carried out. And: when it comes to implementation, one often does not know how to do this properly.
The DPIA is a legal obligation. Failure to comply with the DPIA obligation is subject to a "standard fine" of €310,000 in the Netherlands. This has been established in the fine policy of the Personal Data Authority. For not involving 'data subjects' in a DPIA (think of a representative group of natural persons involved in the processing), a standard fine of €100,000 applies.
Several regulators in Europe have already imposed fines for not, or not properly, conducting DPIAs. For example, in 2019, the Swedish regulator imposed a fine of €18,500 on a Swedish school that had mistakenly not conducted a (proper) DPIA for applying camera surveillance in the classroom. In July this year, the Norwegian regulator imposed a fine of €46,600 on a school for failing to conduct a DPIA prior to processing health data in a digital learning platform. This involved insufficient technical and organizational measures. Employers in general are also at risk. For example, the Finnish regulator imposed a fine of €16,000 on a company that processed location data (via GPS tracker software in cars) without having conducted a DPIA.
No fines have yet been imposed in the Netherlands for not conducting a DPIA, but fines have been imposed for, for example, applying a finger scan at a company (€725,000). This could have been prevented with a proper consideration process (read: conducting a DPIA).
Several European regulators also explicitly advise on DPIAs. In the Netherlands, for example, the Personal Data Authority made it clear to educational institutions in early October that a DPIA is necessary for (live) streaming of education and also when applying proctoring. In September this year, the Irish regulator explicitly pointed out that when tracking (following) employees' leased cars, a DPIA must be conducted.
Microsoft-365 and Google
Many companies and institutions are moving to so-called cloud services, such as Microsoft-365 and Google, with their office automation. Often special or sensitive personal data are (also) processed here. What many data controllers do not sufficiently realize is that in certain cases you have to conduct a DPIA here as well (The issue of data traffic with the United States will be left out of consideration here).
The central government has also already done this in 2018 for Microsoft and the results are well suited for conducting its own (additional) DPIA. In August of this year, the Ministry of Justice and Security announced that it would also conduct a DPIA on Google. This DPIA stems in part from the desire from the world of education to have an investigation conducted. After all, within educational institutions, a lot of work is done with Google. What is striking, of course, is that the central government conducts the DPIA after the processing has started. But to be fair, this applies to almost all processing by Dutch companies using cloud services of the "big tech giants.
Employers in general
Large companies must conduct a DPIA for the processing of personal data of their employees in the context of their absence registration, for example, or when applying software where employees can be followed in their doings (see the tracking software mentioned earlier). This also means work for the HR department.
Practical help: the first 'DPIA Handbook theory and practice for non-lawyers'
For companies and institutions that don't quite know their way around DPIAs, the practical Handbook on DPIAs was released at the end of October.
Authors Francis Joung and Sander van de Molen lacked such a handbook, even though it was very necessary. They then set out to write it themselves. The book covers the theory and practice of DPIAs. For example: what is a DPIA and when do you have to carry it out? How do you weigh up whether there is a high risk? But especially the practice. How do you conduct a DPIA? What needs to be included in a DPIA report? The book contains a handy DPIA process and DPIA models to quickly and easily apply in practice.
The DPIA Handbook is available on Berghauser Pont's website.
The benefits of a DPIA: it's fun and useful
Through the book, you can start conducting DPIAs yourself quickly and easily.
The experience is that when a company first learns about conducting DPIAs with proper support, the employees involved in implementation quickly discover the benefits. On the one hand, it provides a high level of awareness of what can go wrong when processing personal data, and on the other hand, many aspects of business operations are touched. As a result, a DPIA provides a lot of "gain. Profit in the sense of controlling risks, which reduces the chance of fines, but often also an improved insight into processes, the application of systems and the de-duplication of actions.
Actually, performing a DPIA properly only provides benefits, with the most important benefit, of course, being the protection of the privacy of those involved. It is still often (too) unknown, but we will have to deal with it more and more in the near future. Soon we will hopefully hear when a new 'high-risk' processing occurs: 'Ha fine, another DPIA! Can I participate?
