When should you share your Data Protection Impact Assessment?

At Privacy Company, we clearly notice a change in the type of work we do for customers since the General Data Protection Regulation (GDPR) came into effect. Organisations have often implemented the obligations and are now putting more effort into maintaining the level achieved. These include setting up a "Plan-Do-Check-Act" cycle for privacy and data protection or performing a Data Protection Impact Assessment (DPIA) on a new system or service (Article 35 GDPR). This blogpost deals with the latter obligation, and in particular with the publication of a performed DPIA. We will tell you all the reasons to make a DPIA public with some tips on how best to do this!

What is a DPIA?

The DPIA is a way of analyzing processing that may present a high risk to the data subject, such as systems that can follow the person in question, or that can easily place them in a box ('profiling'). Its purpose is to make the protection of personal data part of the consideration process when developing a new service or product. It is one way to meet the Privacy by Design requirement of the GDPR. The instrument is therefore a means to improve compliance with the privacy regulations.

The results of the DPIA must lay out the guidelines for choosing the appropriate measures in order to prove that the privacy regulations are complied with when processing personal data. In this way, the measures reduce the high risks to an acceptable level. If this does not succeed and the risk remains too high, an organisation must turn to the supervisory authority (see the 'prior consultation' in Article 36 GDPR).

It is important to remember that the DPIA is not a static investigation. This means that the DPIA must be amended if the processing changes to such an extent that the previously identified risks also change. Even if no noticeable changes occur, it is still advisable to check periodically (e.g. every three years) whether the DPIA is still up to date.  

Why publish a DPIA?

Many of our clients are faced with the question of whether they should publish their DPIA report. A number of factors should be considered when answering this question and can help you reach a decision.

Disclosure of your DPIA report is not mandatory under the GDPR, although you do have a general obligation to provide information that you must comply with by telling the data subject about the processing of his or her personal data (Article 5(1)(a) and Articles 12 to 14 of the GDPR).

Nevertheless, it may be useful to publish the DPIA report - or a summary of it - in the interests of transparency. Carrying out a DPIA and informing about it often strengthens the individual's trust in the data processing and, consequently, in the organisation. This is a great advantage for the organisation. Some organisations therefore impose stricter rules on themselves than the GDPR requires, in order to be even more transparent about the processing of personal data.

Another reason to make a DPIA public is that other organisations can benefit from it. DPIAs often take place because of the use of systems, which of course are used by many more organisations. Being able to use the DPIAs of other organisations can help cut costs. It is also possible to give feedback to the creator of the original DPIA, so that the DPIA can be improved.

Often there is a lot of work in a DPIA, so it might not feel right to make this know-how freely available. If you prefer not to publish the DPIA report for the world, but you want to meet the other organisations in the industry, that is also a possibility. For example, you can decide that you will execute a DPIA on system X and the other on project Y, so that you can then exchange the knowledge.

How does one go about publishing a DPIA?

If you decide to make a DPIA public, it is necessary to take a number of measures. Not only the measures mentioned in the report to reduce the privacy risks, but also measures to protect your confidential business information.

Before you disclose the DPIA, all confidential data must be extracted, such as security settings you have made that (partly) lose their function when they become public knowledge, or information about how you have set up the system that reveals the 'secret recipe' to your services. Also, the information about the system that you have been given by your supplier, which you may not be permitted to publish, must be removed. Additionally, names of the writers of the DPIA need to be changed, especially if they are external and there are agreements about intellectual property.

You can also go a step further and create a template for performing a DPIA on a particular system or project. In that case, you will extract all confidential data, but you will also specifically indicate which institutions have which risks. This way, the user of the template can execute the DPIA quickly and easily.

What can you do with a public DPIA?

So, you have published the DPIA – then what? Well, the considerations around and advantages to making it public have already been discussed above. But if we look at it from the perspective of someone who found your public DPIA, there are a few more things I would like to point out.

Using the public DPIA, for example by someone who uses a similar system, can be very useful. You must pay attention to the description of the system and the processing of personal data, because this may be very different for the public DPIA than for your situation. That is why it is important to make it clear what does and does not fall within the scope of the DPIA, so that (re)users do not overlook crucial things. Therefore, carefully examine the public DPIA, find the differences and determine whether you can take over the risk assessment and measures or whether you may need to make some adjustments.  

Conclusion

Your DPIA does not have to be made public, but publishing it can help both your organisation and others to apply and implement the GDPR. However, you should pay close attention to confidential information when disclosing, and when using a public report, check whether you can accept the conclusions or whether you need to amend them. This way, we can all contribute to a privacy-friendly world.

Author image
Jill Baehring
Privacy Councel & external DPO at Privacy Company