You may already have heard the term DPIA; but for those who still don’t really grasp the concept behind it, let me try to demystify it a bit.

What is a DPIA?

A DPIA is a Data Protection Impact Assessment. The official definition can be found in the guidelines of the WP29: 

“A DPIA is a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them. DPIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation (see also article 24). In other words, a DPIA is a process for building and demonstrating compliance.”

Translated, this means that a DPIA is a procedure that has been designed to help organizations identify, assess and mitigate (or minimise) data privacy risks. A DPIA is a direct consequence of the accountability principle of the GDPR.  An organization is accountable for demonstrating that it has taken all of the measures necessary to ensure compliance with the GDPR. A DPIA is the perfect tool for establishing this with regard to those data-processing activities that could constitute a high risk of breaching the rights and freedoms of all the data subject involved.

Why should a marketer care?  (or any other ‘business’ department, for that matter)

Put very simply, because it is the responsibility of the business, as first line of defence, and it is certainly not something any legal, risk or compliance department is responsible for. So maybe it is better to be prepared today when the question will be asked of you tomorrow.

When do you need to carry out a DPIA?

Article 35(1) says: “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”

Well, ‘likely to result in a high risk’ remains a very vague concept.  And if you read a bit further you will find another paragraph that states that the supervisory authority (CPP Commission for the Protection of Privacy in Belgium) will produce a list of the types of processing operations that require a DPIA. Unfortunately, no list has been published yet.  On the other hand, the WP29 has already written guidelines to help companies in deciding which of their processing operations might be considered as ‘resulting in high risk’.

Before we go into detail on what these criteria are, let me refer to my previous article on automated decision-making. For those of you who had the courage to read through the entire article, a DPIA will be required for automated decision-making that has a legal (or similar) effect.  The notion of ‘without human intervention’ has not been repeated in the text of the GDPR, so all your initiatives that involve automated decision-making come under this scope. So yes, your AI initiatives, or predictive analytics or maybe some of your marketing automation strategy might require a DPIA.

The nine criteria in detail

If your processing activity meets at least two of the following criteria, then it is required to perform a DPIA.

1. Evaluation or scoring, including profiling and predicting, especially from “aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements”;
   e.g. behavioural profiling, most segmentation techniques used for marketing purposes.
2. Automated decision-making with a legal or similar significant effect;
   e.g. please refer to the previous article that explains in detail what kind of processing comes under this category.
   
   

3. Systematic monitoring;
   e.g. marketers who were inspired by the advertising possibilities, as shown in ‘Minority Report’ – remember the Big Brother personalised advertising based on facial recognition? – maybe for some of you it already exists today.  Just don’t forget to carry out a DPIA… And if you have not yet seen the movie, it’s worth taking the time. 😉
   
   

4. Sensitive data or data of a highly personal nature;
   e.g. health data, trade union membership, genetic data, etc.
   
   

5. Data processed on a large scale;
   Although there is no clear definition of what constitutes ‘large scale’, the WP29 advises taking the following criteria into account:
   
   
   1. the number of data subjects concerned, either as a specific number or as a proportion of the relevant population;
   2. the volume of data and/or the range of different data items being processed;
   3. the duration, or permanence, of the data-processing activity;
   4. the geographical extent of the processing activity.
      
      

6. Matching or combining datasets;
   e.g. data enrichments you might carry out prior to your marketing campaigns.
   
   

7. Data concerning vulnerable data subjects;
   e.g. children, employees, the mentally ill or elderly, etc. In any case where there might be an imbalance in the relationship between the data subject and the controller.
   
   

8. Innovative use or applying new technological or organizational solutions;
   e.g. IoT applications, AI, facial recognition, etc.
   
   

9. When the processing in itself “prevents data subjects from exercising a right or using a service or a contract”. You process data that is necessary to evaluate the possibility of offering your services or your product;
   eg. the processing of health data by an insurance company before entering into an insurance on outstanding balance.                                                                  

Where to get started?

Although there is no official Belgian template published (yet), a very good example can be found on the website of the CNIL (the French cousin of our own CPVP). It is free software you can download and which will guide you through every step in completing a DPIA.

I will not go into detail, since the software is very well documented and will allow you to carry out a DPIA, complete with the necessary explanations should you get lost.

Not just an administrative burden

Maybe this idea is a bit soon to be followed, but recently I attended a presentation on this topic where the lecturer made the analogy with the energy label of electronic devices. This is something I really wanted to share. If you think that DPIAs are just another administrative burden to be dealt with, try to look at them differently. Why not use your DPIAs as a privacy quality label?  When you go to buy a washing machine, do you buy a ‘B’-labelled or an ‘A+’-labelled machine? For those who choose the on with the A+ label, what makes you choose it? Trust and cost-effectiveness are probably on your mind. 

So, try to transfer these concepts to the GDPR. Your DPIAs can confirm your A+ label and maybe your services or products will stand out above those of your competitors. I do realise some of you might not be convinced by this right away.  But hey, who knows when in a few years’ time your company achieves its gold privacy label, you will remember what you once read somewhere about DPIAs….

Hopefully I have managed to demystify the concept of a DPIA a little; but as always, don’t hesitate to ask your questions if it is still not clear.