A DPIA is a risk assessment that is carried out for any activity that involves processing user data and are a key part of privacy best practice
Data Protection Impact Assessments (DPIAs) are a key part of privacy best practice. They also pose a unique challenge.
At the most basic level, a DPIA is a risk assessment that is carried out for any activity that involves processing user data.
Going to launch a new marketing campaign that involves sharing first-party data with a partner? Going to migrate your email database to a new platform? Going to start a Consumer Loyalty Program? All of these activities should include a DPIA.
In Europe, DPIAs are legally required in certain cases.
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. – GDPR Article 35
DPIAs involve a variety of business departments working together in a way that is often unfamiliar. For data-reliant businesses, the volume of DPIAs that GDPR calls for and the unusual depth of coordination needed makes them very hard to do well. We wrote about it here.
Given this difficulty, and given that DPIAs are not “consumer-facing” in the same way as Data Subject Requests, many businesses have opted to take a “managed-risk” approach. They may conduct DPIAs only for the largest or riskiest operations and skip them for day-to-day activities that they deem lower risk. However, in the event that there are complaints about privacy practices, a lack of DPIA documentation will land them in hot water with regulators.
Ethyca hosted its second P.x session with the Fides Slack Community earlier this week. Our Senior Software Engineer Thomas La Piana gave a live walkthrough of the open-source privacy engineering platform, Fides 2.0. He demonstrated how users can easily deploy Fides and go from 0 to full DSR automation in less than 15 minutes. If you weren’t able to attend, here are the three main points addressed during the session.
Introducing consent management in Fides 2.0. With the coming state privacy laws in 2023, your business needs to have granular control over users’ data and their consent preferences. Learn more about how Fides can enable this for your business, for free.
Ethyca launched its privacy engineering meetup, P.x, where Fides Slack Community members met and interacted with the Fides developer team. Two of our Senior Software Engineers, Dawn and Steve, gave presentations and demos on the importance of data minimization, and how Fides can make data minimization easier for teams. Here, we’ll recap the three main points of discussion.
We enjoyed two great days of security and privacy talks at this year’s Symposium on Usable Privacy and Security, aka SOUPS Conference! Presenters from all over the world spoke both in-person and virtually on the latest findings in privacy and security research.
At Ethyca, we believe that software engineers are becoming major privacy stakeholders, but do they feel the same way? To answer this question, we went out and asked 337 software engineers what they think about the state of contemporary privacy… and how they would improve it.
The UK’s new Data Reform Bill is set to ease data privacy compliance burdens on businesses to enable convenience and spark innovation in the country. We explain why convenience should not be the end result of a country’s privacy legislation.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Get a Demo