Data

When is a DPIA Required? (For GDPR & Other Laws)

when is a dpia required

It's no news that businesses must take data protection seriously in today's data-centric world.

Under data privacy laws, one of the ways this initiative is enforced is through Data Protection Impact Assessments (DPIAs). But, considering how demanding these assessments can be, DPIAs aren't always required.

Naturally, this begs the question: "When is a DPIA required?"

In this article, we'll clarify the situations and criteria that require a DPIA under the GDPR and other well-known data privacy laws today.

Let's dive in!

Key Takeaways

  • The DPIA process helps determine whether a personal data processing activity may pose high risks to people's rights and freedoms. It then recommends measures to lessen or remove such risks.
  • Data privacy laws like the EU’s GDPR require businesses to perform DPIAs for high-risk data processing operations.
  • Aside from legal compliance, DPIAs also help mitigate privacy risks, foster trust and transparency, and enhance data quality and accuracy, to mention a few.

Understanding DPIAs: The Basics

A DPIA is a structured process for predicting and mitigating potential risks to people’s rights and freedoms. It’s an obligation that motivates businesses to prioritize data protection when planning a significant project involving personal data.

Like PIAs (Privacy Impact Assessments), DPIAs help identify and prepare for data protection risks, ensuring your project is secure and privacy-friendly.

DPIAs ensure your data processing activities don't negatively impact people's lives. For instance, if your database is hacked due to insufficient security safeguards, criminals could use it to steal people's identities.

Does the GDPR Require DPIA?

Colin Levy, an award-winning attorney and author of "The Legal Tech Ecosystem," says:

"GDPR mandates a DPIA for processing operations that are likely to result in a high risk to the rights and freedoms of individuals."

Specifically, GDPR Article 35 of the GDPR requires businesses to perform DPIAs if they:

  • Systematically and extensively profile EU residents to make decisions that legally or significantly affect them
  • Process special data categories or data relating to criminal offenses on a large scale
  • Systematically monitor publicly accessible places on a large scale

Levy states that:

"The European Data Protection Board (EDPB) and national data protection authorities provide additional guidance and criteria to help determine when a DPIA is necessary."

Note: Before performing DPIAs to facilitate GDPR compliance, it’s crucial to seek the advice of your Data Protection Officer (DPO) or a team like Captain Compliance. Their expertise and insights can prove invaluable to the process.

When is a DPIA Required Under the GDPR?

If your data processing activity is likely to pose a “high risk” to data subjects’ rights and freedoms under the GDPR, you must conduct a DPIA.

While the GDPR provides some specific instances of “high-risk” activities, EU Data Protection Authorities have provided additional clarity with ten distinct examples. Let’s briefly examine them:

Profiling of the data subject

If you use personal data to analyze or predict a person’s preferences, behavior, interests, or movements, a DPIA is mandatory.

For instance, an e-commerce company that uses customer data to create targeted advertisements based on browsing history and purchase patterns must perform a DPIA.

Automated decision-making processes that may impact the data subject

Whenever automated systems (not influenced by humans) make significant decisions that affect individuals, a DPIA is required by law.

For example, if an institution uses a computer algorithm to determine any approval based on personal data, a DPIA is needed.

Systematic monitoring of individuals in public spaces

If you consistently and methodically monitor individuals in public areas, a DPIA is necessary. This could be relevant for city surveillance systems that track and analyze people’s movements in public places for security purposes.

Processing special categories of personal data

Whenever you process special data categories (also known as sensitive personal information), a DPIA is necessary to assess the potential risks to the data subject.

Under the GDPR, special data categories include data relating to:

  • Health status
  • Racial/ethnic origin
  • Sex life or sexual orientation
  • Trade union membership
  • Political opinions
  • Religious/philosophical beliefs
  • Genetics
  • Biometrics

For instance, a research project involving genetic data analysis for medical advancements will require a DPIA.

Large-scale processing operation of data

If you process a significant amount of personal data on a large scale, a DPIA is required. To put this in context, a healthcare provider conducting research using a vast patient record dataset must perform a DPIA due to the scale and sensitivity of the data.

Merging data collected via various processes

If you merge data from different sources or processes, creating new profiles or insights about individuals, a DPIA is needed. An example is if a company combines its online purchase data with its in-store shopping behavior to build comprehensive customer profiles.

Collecting data belonging to persons who are incapacitated

When collecting data from individuals who are unable to give consent or understand the implications, a DPIA is essential. This could occur in healthcare settings when collecting medical data from patients with severe cognitive impairments.

Using new technologies to process data

Whenever implementing a new technology that might impact individuals' privacy, a DPIA is required.

For example, if a company adopts a cutting-edge facial recognition system to manage access control, a DPIA would be necessary to assess potential risks to privacy.

Transferring data to countries outside the EU/EEA

If you plan to transfer personal data outside the EU or EEA, particularly to countries with “inadequate” data protection by EU standards, a DPIA is mandatory.

To illustrate, a multinational Australian company sharing EU personal data with its subsidiaries in Australia will need to perform a DPIA.

Limiting the rights of data subjects when processing data

If your data processing operations may potentially limit individuals' GDPR rights, a DPIA is vital.

For instance, if a social media platform restricts users' ability to access their personal data, a DPIA is required to review the impact on users' rights and freedoms.

When is a DPIA Required Under Other Data Privacy Laws?

The GDPR isn't the only data privacy law that requires DPIAs. Several other laws also require DPIAs in circumstances similar to the GDPR.

Let’s briefly go over them.

DPIAs Under Brazil’s LGPD

Unlike the GDPR, Brazil’s Lei Geral de Proteção de Dados takes a more lenient approach regarding DPIAs.

Accordingly, there are only two scenarios in which the LGPD addresses the need for DPIAs. They include:

  • When data processing is based on a legitimate interest (Article 10)
  • When processing involves sensitive data (Article 38)

In these instances, Brazil's National Data Protection Authority (ANPD) may request a DPIA from you.

That said, the Brazilian Digital Government Secretariat (SGD) also recommends a DPIA in some additional circumstances. Examples include but aren’t limited to the following:

  • Automated decision-making (including profiling) that may have legal or similar effects on consumers
  • Building a real person's behavioral profile
  • Processing data of children and teens
  • Tracking consumers' location

DPIAs Under Singapore’s PDPA

In a comprehensive guide, Singapore’s Personal Data Protection Act, or PDPA, sets out several examples of when an applicable business is required to conduct DPIA.

They include when the following occurs:

  • Developing a new system that involves collecting and handling personal data
  • Creating a new process (including manual ones) that involves handling data (e.g., a receptionist collecting data from visitors)
  • Changing the way existing systems handle personal data
  • Structural changes that affect data management, such as mergers and acquisitions
  • Collecting new types of personal data

DPIAs Under the Philippines’ DPA

Unlike the GDPR, DPIAs aren’t explicitly required under the Philippines’ Data Protection Act (DPA).

However, they’re highly recommended for significant data processing activities, especially in the following cases:

  • When you haven’t performed a PIA for any of your data processing operations
  • When implementing a new data processing system
  • When significantly changing your existing data processing system
  • When there are significant external developments that could negatively impact your current data processing system
  • When a major data breach or recurring security incident occurs

DPIAs Under Switzerland’s FAPD

Switzerland’s criteria for conducting DPIAs pretty much mirror those of the GDPRs (with slight differences). Under Article 22, the FADP requires DPIAs for data processing activities that could present a “high risk” to individuals’ personalities and fundamental rights.

High-risk data processing under the FADP includes:

  • Processing sensitive personal data on a large scale
  • Systematic monitoring of public areas on a large scale

Benefits of Conducting a DPIA

Performing a DPIA is like laying a sturdy foundation for your data processing operations. Even when not mandatory, it yields numerous advantages, including the following.

Legal Compliance

First and foremost, a DPIA is a vital part of complying with applicable data protection laws (as we’ve previously established).

Levy states that:

"Under GDPR, conducting a DPIA is a legal requirement for certain types of data processing activities. Failure to conduct a DPIA when required can lead to penalties."

By assessing the impact of your data processing on individuals' privacy, you align your operations with the legal requirements of applicable laws and avoid fines for non-compliance.

Mitigating Risks

A DPIA’s overarching goal is to identify, assess, and reduce or eliminate risks associated with your data processing activities.

Through proactive data protection risk management, DPIAs help foster a secure environment for data management, ultimately preventing data breaches and other privacy-related incidents.

Building Trust and Transparency

DPIAs can help demonstrate a commitment to transparency and trust-building. When consumers know that their privacy is a priority and risks are proactively mitigated, their trust in your business grows.

Moreover, transparency in managing and protecting data instills confidence in stakeholders and enhances your reputation.

Cost-Effectiveness

Conducting a DPIA early in your project lifecycle saves costs for your business by preventing expensive fixes later.

After all, identifying and addressing privacy issues from the start is more efficient and economical than retrofitting solutions into an already established system.

Enhanced Decision-Making

DPIAs can also uncover valuable data insights that guide decision-making during project planning.

Levy says it helps with decision-making because:

"It assists organizations in making informed decisions about the feasibility and data protection implications of a project involving personal data."

When you understand the privacy implications of your data processing activities, you can make well-informed choices about your corporate compliance program, methodologies, and strategies.

Improved Data Quality and Accuracy

By analyzing data processing practices, a DPIA may reveal areas for improvement in your data quality and accuracy.

This can lead to better privacy governance, elevating the integrity of your data and, consequently, the effectiveness of your business operations.

How Can Captain Compliance Help?

Now that you understand when a DPIA is necessary, it's time to address this vital aspect of your privacy responsibilities with an effective compliance service.

Captain Compliance stands ready to help you seamlessly fulfill your privacy obligations. We believe in a proactive approach to compliance, and our services empower you to navigate data privacy confidently.

Get in touch today for a complimentary consultation to take the first stride towards a compliant DPIA strategy.

FAQs

When should I consider conducting a DPIA for my project or process?

You should consider a DPIA when your data processing activities present potential risks to individuals' privacy. Examples include launching a new marketing campaign via profiling or adopting innovative technologies for data analytics.

Check out the GDPR DPIA Requirements

Are there specific indicators that signal the need for a DPIA?

Yes, indicators like large-scale data processing, the use of technologies like AI, or the processing of special data categories like health or ethnicity often warrant a DPIA.

What’s more, any data processing activity that could impact individuals significantly or limit their rights highlights the need for a DPIA.

Find out if DPIAs are Mandatory

Does the size or type of my business affect the need for a DPIA?

No, it doesn’t. If your data processing activities meet the criteria set by relevant data protection laws — like the GDPR or LGPD — a DPIA is required. Whether you are a startup or a large enterprise, compliance with these laws remains essential.

See also: How to perform a DPIA under the LGPD

Can conducting a DPIA save my business time and resources in the long run?

Absolutely. While a DPIA requires an initial investment of time and resources, it often prevents legal issues, fines, and costly rework.

Pinpointing and addressing privacy risks at the outset ensures a smoother, more compliant data processing journey in the long term.

Check out our GDPR DPIA Template