13 January 2020

SECURITY GYAN Bytes : January 2020 : 13th January 2020

Dear Tech Leader,
Data Protection Impact Assessment (DPIA)
During the last week's security newsletter, we covered principles of Privacy by
Default. This week we cover yet another important aspect of GDPR which is
essential for any privacy-related project called Data Protection Impact
Assessment – DPIA.

The concept of DPIA is not only bound to GDPR but to any privacy regulation
including the upcoming Indian Data Protection Act; let’s understand the
core concept of DPIA so that we can prepare ourselves to measure impact on
our organizations, processes and projects.

What is DPIA
Data Protection Impact Assessment or DPIA is a process designed to help
organizations to conduct systematic data protection risk assessment for any
process, project or plan. As CIO or CISOs we are familiar with conducting a risk
assessment as part of ISO 27001 or any similar security compliances, but for
privacy laws, the risk assessment process is a little different. DPIA focuses on
risk to an individual unlike risk to an organization.

The key provision under GDPR Recital 75, which links risks to the concept of
potential harm or damage to individuals says –

“The risk to the rights and freedoms of natural persons, of varying likelihood
and severity, may result from data processing which could lead to physical,
material or non-material damage, in particular: where the processing may give
rise to discrimination, identity theft or fraud, financial loss, damage to the
reputation, loss of confidentiality of personal data protected by professional
secrecy, unauthorized reversal of pseudonymization, or any other significant
economic or social disadvantage; where data subjects might be deprived of
their rights and freedoms or prevented from exercising control over their
personal data...”

So, the central focus point is the “data subject” for whom the data is collected;
and we should conduct “risk assessment” keeping this “data subject” or
“individual” in mind. So, for example, suppose we have collected some medical
data for an individual if a data leak happens concerning this individual, what risk
may be there for him/her.

A classic case of how a data leak may impact “rights and freedom” of an
individual may be observed by a data leak that happened a few years back by a
medical agency. The agency used to send “AIDS awareness newsletters” to
various patients; the person sending emails instead of putting recipients in
“BCC” put them in “CC” now every recipient knew the other person's identity.
The agency was fined about £180,000 for this mistake. This case shows how
important it is to conduct thorough DPIA for any process/project that collects PII
data for individuals. Similar case came into light in Singapore also.
Essentially, the outcome of DPIA would be to identify the risks and based on the
finding to prepare a plan on how to mitigate those risks and document the

Why DPIA is important
Conducting DPIA is a mandatory legal requirement under GDPR; failing to do so
may attract fines up to €10 million, or 2% global annual turnover if higher. DPIA
should be conducted at the beginning of any project/process, it integrates well
with the requirement of Privacy by Design where you’re taking care of risks
during the initiation of the project itself instead of bolting it on later on when the
issues are identified.

DPIA shouldn’t be just looked at the legal requirements, if conducted properly it
can help you to identify problems early in the stage of project and issues can be
addressed effectively.

When to conduct DPIA
Organizations are required to complete a DPIA for any processing that is likely to
result in a “high risk” to the rights and freedoms of individuals. Now what can
constitute high risk isn’t clearly defined in GDPR. So it’s up to the judgment of
the organization to identify what they consider as high risk and plan to mitigate
them accordingly.

[Views expressed by me in this article is completely mine and in no way be
construed as the views of my organization]
This Gyan-Byte is contributed by Vikas Arora. He is
currently the Vice President – Global IT & Security
of Toluna. He has more than 23 years of work
experience in the IT industry and is passionate
about cybersecurity. He also works as a virtual
CISO for various organizations and speaks at
various national and international forums.
Twitter: @techievicky