Compliance

CNIL DPIA Template: List of Things to Include

cnil dpia template

Although the members of the European Union (EU) are subject to the General Data Protection Regulation (GDPR) for data privacy, EU countries still retain their own GDPR interpretations to suit their specific needs better.

One example is the French Data Protection Act (FDPA).

In this article, we’ll explain the Data Protection Impact Assessment (DPIA) from the perspective of France and its law and give you a CNIL DPIA template with a list of things to include.

So, let’s begin.

Key Takeaways

  • Conducting a data privacy impact assessment (DPIA) is required by the GDPR and the French Data Protection Act (FDPA) when the processing can result in a significant risk of harm to the rights and freedoms of data subjects
  • The CNIL DPIA template serves to help businesses create their DPIAs more easily
  • The DPO is the person responsible for ensuring the DPIA is conducted and signs off on the DPIA

What is the French Data Protection Act?

The French Data Protection Act (FDPA) is a data privacy regulation that serves to interpret and amend the EU’s GDPR to better match the needs of individuals in France for data privacy and protection.

The Act pre-dates the GDPR, as it was initially passed in 1978. However, it was later amended heavily in 2018 to include modern digital technologies and GDPR’s data protection mechanisms.

This law applies to:

  1. Data handlers located in France
  2. Data handlers located outside of France but who are offering products and services to consumers in France
  3. Data handlers located outside of France but who are monitoring individuals in France

Additionally, the Act provides certain data subject rights that the data handler must defer to:

  • Right to access the individual's own personal data
  • Right to correct the person’s data
  • Right to erase personal data
  • Right to the restriction of data processing
  • Right to withdraw consent

Both the GDPR and the FDPA are overseen by the Commission nationale de l'informatique et des libertés (CNIL), which serves as the national data protection authority body in France.

What is a DPIA (And Do I Need One)?

The Data Protection Impact Assessment (DPIA) is a method of evaluating potential risks that collecting, storing, and processing personal data might have on the data subject and finding solutions to mitigate those risks.

As an important tool that helps businesses comply with the GDPR and other data privacy regulations, a DPIA includes several benefits, such as:

  • Identifying the risks involved in processing personally identifiable information (PII) for data subjects
  • Improving the reputation of the business and helping to build a better relationship with its customers
  • Reducing the risk of penalties for non-compliance for the organization

Article 35 of GDPR covers the DPIA in detail, including the designation of a data protection officer (DPO) and what the DPIA should include.

At a minimum, a DPIA must contain:

  1. A description of the data processing activities, along with the purposes and legitimate interests of the data controller
  2. An assessment of the necessity of data processing compared to the processing purpose
  3. An assessment of the potential risks to data subjects’ rights and freedoms
  4. Steps and measures the business plans to take to reduce those risks (safeguards, mechanisms, security, etc.)

When is a DPIA Required?

A DPIA is required any time that data processing done by an organization can potentially pose a “high risk” to the rights and freedoms of individuals.

According to both the GDPR (Article 35) and the French Data Privacy Act, a DPIA is required when the data handler is doing any of these “high-risk” activities:

  1. Using new technologies to process personal data
  2. Monitoring individuals in public spaces systematically
  3. Profiling data subjects using personal data
  4. Processing special categories of personal data
  5. Merging data collected from different sources and via various processes
  6. Collecting data belonging to incapacitated individuals
  7. Limiting the rights of individuals when processing data
  8. Transferring data to countries outside of the EU and/or EEA
  9. Processing children’s data
  10. Processing data on a large scale

CNIL DPIA Template

You can find a CNIL DPIA and download it in PDF here. It covers the most important steps to create a DPIA under GDPR and FDPA.

A DPIA template can be useful to different stakeholders involved in data processing in your organization, including:

  1. Decision-makers
  2. Data protection officers (DPO)
  3. Contractors
  4. Chief Information Security Officers (CISO)
  5. Project owners, and others

You can download a free PDF of a CNIL DPIA template here on the authority’s website along with the guide on how to fill it out.

We’ll quickly cover the different sections of this template and what they mean.

Study of the Context

The first part of the DPIA template covers the context of the data processing in question. This part is divided into two sections.

Overview of the Processing

The Overview of the Processing includes an overall description of the processing, processing purposes, and stakes as well as who the data controller and data processor(s) are.

Additionally, the overview also covers any standards that are specific to your sector or industry you need to consider.

Data, Processes, and Supporting Assets

Next, what data types are you collecting and processing, who are the recipients, and how long will you store this data?

Also, you need to describe your processes and their supporting assets. CNIL recommends creating a diagram of data flows along with a detailed description of the processes.

Study of the Fundamental Principles

Assessment of the Controls Guaranteeing the Proportionality and Necessity of the Processing

In this section, you have to justify the proposed data processing, starting with its legitimacy.

The CNIL DPIA template includes several criteria for lawfulness. Go through them all and if they apply to your situation, and if they do, justify why.

For example, the lawfulness criteria could be that the data subject has given their consent to the processing of their personal data for one or more specific purposes. In this case, you would check the “Applicable” field as “yes” and in the “Justification” field explain that they have given their consent for data processing by allowing cookies on your website.

Next, you need to go through the data categories, whether they are relevant and needed, how you can minimize the data you will process, the justification of data quality, and the justification of storage duration.

Finally, assess your controls. Do you have a specific and legitimate purpose? Is the processing lawfully based? Is your data minimization adequate and is the data up-to-date and accurate?

Assessment of Controls Protecting Data Subjects’ Rights

The next section of the template goes through how well the business is protecting data subject rights.

  1. Informing the data subject - How are you informing the data subject? Are there any exemptions? What are they?
  2. Obtaining consent - How are you obtaining consent? Do you obtain it before or after registration and before or after sharing it with others? How are you handling children's consent?
  3. Access and data portability - Can the data subject access their data securely and easily? Can they download it and transfer it to another service?
  4. Rectification and erasure - Can data be rectified or erased/deleted on the data subject’s request? How will you implement the right to be forgotten? What data can’t be erased (i.e. due to legal obligations)?
  5. Restriction of processing and objecting - How can the data subjects object to data processing or restrict it? How do you handle cookies and tracking? Do you offer enough “Privacy” settings that users can control?
  6. Processors - What is the processor’s name, purpose, scope, and contact reference?
  7. Data transfer outside the EU - Will the data be transferred outside the EU? To which country? Does it have adequate data protection?

Finally, go through these controls one more time and see if they can be improved upon and how.

Study of Data Security Risks

What security controls are you using when processing data? Security controls include things like encryption and anonymization, but also physical access control, policy management, protection against human and non-human risk sources, and so on.

Go through each data security risk, whether it comes from things like cyberattacks and human error or natural causes (fire, water, earthquake), assess your controls, and see if you can improve on it.

Also, assess the probability of a potential data breach. What are the main risk sources, threats, and potential impacts? What is the potential severity of the data breach and its likelihood? Do you have any controls that will help you reduce those?

Validation of the PIA

Finally, assess the controls and how well they comply with the GDPR and its principles. You can use a simple assessment checklist and mark non-applicable, unsatisfactory, planned improvement, or acceptable.

Finally, have the DPO sign off on the PIA.

Steps to Carry Out a DPIA

Here are the steps to carry out a DPIA:

Identify the Need to Conduct a DPIA

A DPIA is required in certain situations regarding data processing, but not always. Consider what your new project involves and if the data processing that you will have to do as part of it can, in any way, present a high risk to the rights and freedoms of individuals whose data you will process.

“High-risk” activities can include:

  1. New technologies (AI, smart technologies, IoT, autonomous vehicles, etc.)
  2. Large-scale profiling (social media networks, fitness monitoring hardware and software, etc.)
  3. Biometric and genetic data (facial recognition, voice recognition, DNA testing, medical research, etc.)
  4. Data matching (direct marketing, identity assurance services, fraud prevention…)
  5. Denial-of-service (mortgage, insurance, or credit checks)
  6. Tracking (cookies, web tracking, browser profiling, online advertising…)
  7. Invisible processing (direct marketing, data aggregation, publicly available data reuse…)
  8. Targeting of at-risk individuals and groups, such as children for auto decision-making, profiling, or marketing

Consultation Phase

In this phase, and before going any deeper into the impact assessment, you need to consult with certain stakeholders, in particular:

  1. Consult with data processors to better understand their data processing and handling methods
  2. Talk with Data Protection Agencies for assistance and guidance
  3. Discuss the best methods and tools to secure data before, during, and after processing with data security experts

Describe the Nature, Scope, Context, and Purpose

Any data processing should have a clear nature, scope, context, and, finally, purpose. Define all of these by asking the following questions:

The Nature of Data Processing:

  • How will the business collect data?
  • Where will data be stored?
  • How will data be stored?
  • How will it be used?
  • For how long will it be stored?
  • What are the data sources?
  • When and how will the business erase the data?
  • Will data be shared with any 3rd parties?

The Scope of Data Processing:

  • Does the data include any special categories of data?
  • How often will the business use this data?
  • How long will the company keep the data?
  • How much data will the business be collecting and using?
  • What area (city, state, country, etc.) will the processing cover?
  • How many individuals, on estimate, will be affected by this data processing?

The Context of Data Processing

  • How is the data collected? From customers or third parties?
  • Are the data subjects your users or customers, or do you have another type of relationship with them?
  • Can they reasonably expect that you will use the data for the specified purpose? For example, a weather app won’t need biometric data, but a fitness app will, and vice-versa, a weather app will require geographical and location data, but a fitness app will likely not.
  • Can and in what measure can individuals determine and control what data they can share and use their data subject rights?
  • Is this a novel type of data processing, and does it have known security flaws?
  • Does it involve children or other at-risk groups?

The Purpose of Data Processing

  1. What does the business hope to get from this data processing?
  2. What will be the benefits of processing for the business?
  3. What will be the benefits for individuals?

Identify and Assess Potential Risks

Naturally, every project that requires data processing will incur certain risks. In this phase, you need to assess those risks and what harm could come out of them:

  1. What is the risk potential? Remote (unlikely to happen), possible (it “might” happen), or probable (it’s likely to happen)?
  2. If the harm occurs, what will its severity be? Minimal, moderate, or severe?
  3. What is the overall risk? Low, medium, or high?

Identify Measures to Mitigate Risks

Now that you know and understand the risks, what measures can you use to mitigate them?

  1. List all potential risks that you identified in the previous step
  2. List options to reduce individual risks. The more options you have, the better, but, in general, you should have at least more than one option per risk
  3. What positive effect on the specific risk will the option have? Will it reduce it or remove the risk? Bear in mind that you might have to accept certain risks as they are
  4. What risks are you left with after implementing these measures?

Sign Off with a DPO

The next step is to approve and sign off the DPIA by the data protection officer (DPO). However, the work isn’t finished here, as the DPIA results and outcomes need to be observed and monitored regularly to ensure they align with the company’s vision and regulatory obligations.

Partner with Captain Compliance

Finally, make sure to partner with Captain Compliance and have our experts help you maintain compliance and find ways to improve data privacy and protection.

We provide outsourced compliance services and have a DPIA solution to ensure your risks are at a minimum.

Penalties for Non-Compliance with the France Data Protection Act?

The FDPA empowers the CNIL and its Restricted Committee to take action and impose fines on data controllers in case of non-compliance. These may or may not be preceded by a formal notice.

If the data controller or data processor is found in violation, the Restricted Committee can:

  • Issue a call to order
  • Issue an injunction to comply with the Act or the GDPR
  • Fine them up to €100,000 for every late day
  • Revoke or withdraw their certification
  • Prohibit data processing
  • Suspend a 3rd-party or international organization data flow
  • Suspend (partially or entirely) to the approval of BCRs (binding corporate rules)

On top of this, your business may also be subject to GDPR fines which can reach up to €20,000,000 in fines or 4% of your company’s global turnover. And if that isn’t enough, there is also a private right of action, meaning others can sue your company for even more money.

Closing

As an EU member, France adopted GDPR on 4th August 2018. However, the country has incorporated the GDPR provisions with its Data Privacy Act of 1978 (amended in 2018).

We hope this article and CNIL DPIA template can serve as a good starting point to conduct your own privacy impact assessment. If you think you may need help with DPIAs or compliance in general, Captain Compliance can help your business out.

Get in touch with Captain Compliance for more information on how we can affordably and effectively achieve compliance for your business.

FAQs

How do I draft a DPIA?

To draft a DPIA, you should follow these steps:

  1. Identify the need for a data privacy impact assessment
  2. Consult with data processors, data protection agencies (DPA), security experts, and other stakeholders
  3. Describe the nature, context, and purpose of the processing
  4. Identify and assess the risks
  5. Identify the measures to reduce those risks
  6. Sign off with a data protection officer (DPO)

Learn more about DPIA and its steps on Captain Compliance.

What is a DPIA template?

A DPIA template is a document form or guide that can help businesses conduct data privacy impact assessments more quickly and easily.

Here is the difference between DPIA vs PIA that you should know about.

What must be included in a DPIA?

At a minimum, a DPIA must include:

  1. A description of the data processing activities, along with the purposes and legitimate interests of the data controller
  2. An assessment of the necessity of data processing compared to the processing purpose
  3. An assessment of the potential risks to data subjects’ rights and freedoms
  4. Steps and measures the business plans to take to reduce those risks (safeguards, mechanisms, security, etc.)

Here is how to do a CPRA DPIA.

Does GDPR require DPIA?

Under Article 35, the General Data Protection Regulation (GDPR) requires a data privacy impact assessment (DPIA) when data processing can result in significant harm to the rights and freedoms of data subjects.

In particular, when:

  1. Using new technologies to process personal data
  2. Monitoring individuals in public spaces systematically
  3. Profiling data subjects using personal data
  4. Processing special categories of personal data
  5. Merging data collected from different sources and via various processes
  6. Collecting data belonging to incapacitated individuals
  7. Limiting the rights of individuals when processing data
  8. Transferring data to countries outside of the EU and/or EEA
  9. Processing children’s data
  10. Processing data on a large scale

Learn if other data privacy laws, like the Brazilian LGPD, require DPIA.