Every organization, when starting its activity, in order to be able to achieve its goal and avoid adverse consequences, evaluates various risks. For example, no matter how well the research of the business environment is done, the risk of demand for the product is always evaluated before making a decision on the sale of a product. The field of personal data processing and protection is no exception.
Data protection impact assessment (hereinafter – DPIA) is a process by means of which the Controller (hereinafter – organization) can perform various risks, rights and freedoms of natural persons, accounting, analysis, assessment of possible consequences (according to severity and probability) and determines measures to prevent the identified risks arising from the specific data processing.
Carrying out DPIA in certain cases is a mandatory measure, however, the GDPR Privacy recommends it in other cases as well before the planned data processing.
Conducting DPIA is not a one-time event, but an ongoing set of activities that must be carried out regularly, evaluating your data processing processes to identify potential risks where data processing could pose a “high risk” to individual rights and freedoms. Organizations should not rely on data processing to be of a static nature (even if no changes are made), as external factors also pose risks to the data processing performed.
As indicated in the guidelines developed by the Article 29 working group, the reference to the “rights and freedoms of natural persons” in Article 35 of the General Data Protection Regulation mainly refers to the individual’s right to data protection and privacy, but it can also be applied to other fundamental rights – freedom of speech, thought freedom, freedom of movement, prohibition of discrimination, right to freedom, freedom of conscience and freedom of religion.
When conducting DPIA, the organization should consider the following aspects of data processing:
• internal processes and planned actions with personal data;
• possible breach of data protection (if possible, how much trouble it may cause to the data subject);
• which employees have access to personal data (the need for access must be assessed);
• how the internal data exchange takes place and whether the current exchange mechanisms are considered safe;
• data location and access to them, how the data is transported – on the computer, in folders, in physical form, etc.;
• employees’ knowledge of how to handle personal data in compliance with data protection requirements;
• internal documentation (whether the rules of the data protection system have been developed, taking into account possible risks in the process of data processing and protection (for example, unauthorized access, deletion, etc.)).
The following questions will also help to assess the aforementioned processing aspects:
• Is the protection of the organization’s data system commensurate with the risk posed by the data it processes?
• Is the processed personal data grouped, taking into account the potential threat and is the data creating a greater risk protected more carefully?
• What devices are connected to the local network (do the devices themselves and their connections pose security risks, how have they been addressed)?
• What software is used in the organization’s information systems?
• Are the computers equipped with security systems, such as passwords?
• Is employee access to processed personal data recorded?
• Do the employees of the organization understand their role in protecting the organization against information security threats?
• What else could be done to achieve higher safety standards?
If, during DPIA, it is established that the planned processing may pose a high risk to personal rights and freedoms, and the organization is unable to implement appropriate measures to reduce the identified risks to an acceptable level, the organization must consult with the national supervisory authority.