You may be all too familiar with your organization’s change-management process, the regular steps of review being used, and maybe even the exact wording of its requirements — some of which may have remained unchanged for years. Up until now, the focus of change management has been centered on the interests of the organization, naturally. But now, thanks to the General Data Protection Regulation, companies will not only have to account for privacy and security measures for themselves, but also for the individuals whose personal data exists on its information systems.   

Data protection matters

If it’s determined that the GDPR applies to an organization, then it’s likely that the data protection impact assessment (DPIA) requirement has been mentioned as well. Here's what Article 35 regarding DPIAs states:

"Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks."

The takeaway? Any time new processing operations are being implemented, it’s a must to conduct a full assessment of how it will impact personal data protection. Within the new requirement, this stipulation is crystal clear: Organizations will need to find a way to build the DPIA into their processes consistently and continually. The question is, how can your organization adopt the DPIA requirement without causing a major disruption to service delivery? 

What triggers a DPIA? 

One of the biggest challenges for most organizations will be the integration of data privacy and protection into their longstanding product delivery model. A good starting point for most is to revisit your organization’s policies and procedures, and assess where a DPIA can fit in the change and risk management documentation.  

Here are some of the circumstances that may prompt a DPIA, according to the GDPR, specifically:

  • Processing using new technologies.
  • Processing is likely to result in a high risk to the rights and freedoms of natural persons,  those EU citizens identifiable from personal data collected or processed by an organization.

And further defined by the GDPR, the following circumstances would obligate a company to conduct a DPIA; specifically, in circumstances where there is:

  • A systematic and extensive evaluation of personal aspects relating to a natural person based on automated processing, including profiling.
  • Any evaluation in on which decisions are based that produce legal effects concerning the person.
  • Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10.
  • Systematic monitoring of a publicly accessible area on a large scale.

Here's what the U.K. Information Commissioner’s Office questionnaire indicates may prompt a DPIA:

  • Will the project involve the collection of new information about individuals?
  • Will the project compel individuals to provide information about themselves?
  • Will information about individuals be disclosed to organizations or people who have not previously had routine access to the information?
  • Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used?
  • Does the project involve you using new technology which might be perceived as being privacy intrusive? For example, the use of biometrics or facial recognition.
  • Will the project result in you making decisions or acting against individuals in ways which can have a significant impact on them?
  • Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records, or other information that people would consider to be particularly private?
  • Will the project require you to contact individuals in ways which they may find intrusive?

Given the thoroughness, it might be a good idea to develop and implement a screening questionnaire like this one into an established change-management process. It could be based off of ICO’s questionnaire, as noted above, or more specific to an organization. It’s also important that this survey be designed for all personnel to understand, meaning, it should not take a privacy expert to identify the need for a DPIA when using a questionnaire.

Who should be involved in DPIAs?

Let’s assume that the project team is not bursting at the seams with privacy experts. Don’t sweat it — it’s still possible to acquire the specialist insights necessary, and then get proper risk management documentation in place without taking the risk of a best-guess approach on control implementations. 

The ICO makes a few recommendations on individuals that could be sought internally and externally to help with the process:

Internal consultation: project management team, data protection officer, engineers, developers, designers, IT, procurement, potential suppliers and data processors, customer-facing roles, corporate governance and compliance, researchers, analysts, senior management.

External consultation: Focus groups, user groups, public meetings and consumer or citizen panels

In addition, the GDPR provides a few tips that should be considered when consulting for advice on processing activities:

  • Seek the advice of the Data Protection Officer, if applicable.
  • When a DPIA indicates that the processing may result in a high risk, consult the supervisory authority prior to processing.
  • Where appropriate, the controller [should] seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.

Depending on their own processing activities, some organizations may find themselves mandated to reach out to supervisory authorities. In any case, it would be helpful to develop a thorough understanding of the nature and extent of personal data that is stored and processed on specific information systems (i.e. record of processing activities), while also preparing for circumstances that may prompt internal and/or external consultation around a DPIA.

Start to develop your plan

Eventually, it will become easier to identify examples that may warrant a DPIA in a specific organization. Keep in mind, however, that it’s not a one-size-fits-all approach. Each implementation of the DPIA process will differ among organizations. One thing is for sure, though: Everyone should spend the time to determine what will trigger a DPIA. Reviewing policies and procedures will provide a leg up when it comes to understanding the impact of DPIAs and developing a plan that moves forward towards GDPR compliance.  

In thinking like a data privacy professional, the beginning steps for implementation might include:

  • Revising policies and procedures to ensure that DPIAs and privacy by design and by default are included (i.e. change management, risk management, SDLC, etc.)
  • Identifying and involving the right people in privacy risk evaluations (DPIAs and risk assessments)
  • Designing a specific screening questionnaire to identify the need for DPIA Developing and implementing a data privacy impact assessment template