Data Privacy, De-Mystified.
Data Protection Impact Assessments are a key part of privacy best practice. They pose a unique administrative challenge, and so their correct execution signifies a deep commitment to getting privacy right. We wrote here about some of the reasons why they are so tough to do well. In a nutshell, a DPIA is a report that a business should complete when they undertake any processing activity that has risk implications for their user data.
DPIAs are challenging because they involve close coordination between a variety of business departments – legal, tech, and others – and they require stakeholders in each of those departments to have a detailed understanding of user privacy. Given this difficulty, and given that DPIAs are not “consumer-facing” in the same way as Data Subject Requests, many businesses have opted to take a “managed-risk” approach. They may conduct them manually only for the largest or riskiest operations and skimp on them for day-to-day activities that they deem lower risk. But if they then are forced to account for privacy-related decisions, through audit and complaint, and lack DPIA documentation, they can quickly find themselves without a legal foot to stand on.