Data Protection Impact Assessments are the sleeping giants that lie deep in the GDPR. Doing DPIAs well requires organizations to commit to responsible data management at a deep, deep level. That’s one of the reasons why they are so challenging.
Data Protection Impact Assessments are the sleeping giants that lie deep in the GDPR. Doing DPIAs well requires organizations to commit to responsible data management at a deep, deep level. That’s one of the reasons why they are so challenging.
If one were to poll a sample of business, technical, and marketing professionals on “GDPR provisions that keep you up at night,” it’s likely DPIA’s wouldn’t make the top three. There are flashier aspects of GDPR. Consent management. Right-to-object. Data Subject Requests. Since these are the elements most frequently in the headlines, they tend to take up the most space on a business’s priority list.
But DPIA’s represent the biggest challenge to most businesses in their present state. And for that reason, establishing a DPIA process that adheres to the GDPR guidelines is a key indicator that a business is making a deep, meaningful commitment to data privacy.
For the uninitiated, here are the basics of a DPIA. It’s intended to let a business analyze and minimize the privacy risk from a processing activity. Under GDPR, businesses conduct a DPIA when undertaking a range of data processing activities, from monitoring public places to using innovative technologies to using biometric data. You can read more about the circumstances in which a DPIA is legally required here.
The Assessment itself is a multi-step process that involves coordination across a number of teams. The ICO describes the following nine steps as essential:
The purpose of this article isn’t to walk through the step-by-step of how a DPIA exercise should be conducted. The ICO has already published an excellent one of those here. Rather, it’s to point out what a challenge this poses for most businesses in their present state. Put simply, if most businesses did DPIA’s the way they’re supposed to, it would result in a productivity nightmare.
Within a modern large business, there could be hundreds of processing activities every year. Under GDPR many will require a DPIA. But the vast majority of businesses lack the processes or technology to perform them quickly; they are handled entirely manually. The result is not pretty. Members of the dev team emailing the legal department to set up a meeting where they present a proposed activity and, together, fill in half of a DPIA template form. Then a question comes up. The legal team consults with enforcement authorities for clarity, and the response takes a week to arrive. Meanwhile, developers are bottlenecked as they’re unsure whether they can proceed until getting clearance from legal. And the marketing team awaiting delivery of their snazzy new retargeting tool is frustrated. Multiply this scenario by a hundred cases a year, and the efficiency costs that a DPIA represents to many organizations becomes clear.
Given this, it’s not surprising that many businesses opt to take a “managed-risk” view of DPIA’s. Perhaps that represents the best of a bad bunch of options. With a fully manual process, the efficiency cost of compliance can look disastrously high.
But enforcement around GDPR is picking up. What’s more, consumers are beginning to expect higher standards of privacy practice. As time passes, the cost of DPIA non-compliance will rise steeply. And businesses that decide they can’t afford deep privacy measures today may find the long-run cost of their inaction significantly higher.
Today we’re announcing faster and more powerful Data Privacy and AI Governance support
See new feature releases enhancing user experience, adding new integrations and support for IAB GPP
Learn more about the privacy and data governance enhancements in Fides 2.27 here.
Read Ethyca’s CEO Cillian Kieran describe why and how an open data governance ontology enables companies to comply with data privacy regulations and frameworks.
Ethyca sponsored the Unpacking Privacy Engineering for Lawyers webinar for the Interactive Advertising Bureau (IAB) on December 14, 2023. Our CEO Cillian Kieran moderated the event and ran a practical discussion about how lawyers and engineers can work together to solve the technical challenges of privacy compliance. Read a summary of the webinar here.
Ethyca’s CEO Cillian Kieran hosted a LinkedIn Live about the newly agreed upon EU AI Act. Read a summary of his talk and find a link to his slides on what governance, data, and engineering teams need to do to comply with the AI Act’s technical risk assessment and data governance requirements.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!
Request a Demo