EIPD: how to automate the GDPR impact assessment

The EIPD or impact assessment is one of the new features of the GDPR. Have you identified a data protection risk in your company? Find out what you need to do for each of the processing operations concerned.

The impact assessment, also known as PIA - Privacy Impact Assessment - consists of carrying out a comprehensive study with the aim of assessing the impact of one or more data processing operations on privacy.

Find out the key concepts for GDPR compliance and discover the best solutions to be compliant.

See all software IT Services

What is a PIA?

The PIA or Data Protection Impact Assessment is one of the provisions of the new European Data Protection Framework or GDPR (European Data Protection Regulation).

The DPA must describe the processing and its purpose, estimate the validity of the processing according to the purpose, identify the risks and detail the actions for managing the risks.

"An impact analysis is highly recommended by the authorities and should be initiated before data processing is started".

However, the GDPR impact assessment must be maintained and updated throughout the entire lifecycle of the processing.

Why conduct a GDPR impact assessment?

An impact assessment is the best way to verify and check the compliance of a processing operation and to prevent a risk related to the loss or exposure of processed data.

Conducting a risk assessment enables data controllers to:

• Determine the cause of a risk and estimate the likelihood of it materialising;

• Improve data processing so that the rights of individuals are respected;

• To meet the technical and organisational conditions necessary for the respect of the regulation;

• Prove risk management to the authorities.

While the GDPR impact assessment is recommended for all companies collecting and managing data, in many cases the DPA is mandatory and non-compliance with this provision is a serious infringement.

Article 35 GDPR: when is an impact assessment mandatory?

"It establishes that if a processing operation is likely to "involve a high risk to the rights and freedoms of natural persons", a DPOI must be carried out prior to the implementation of the processing operation. This obligation is aligned with the privacy principle which aims to analyse a processing operation from its design phase and ensure adequate risk management, in addition to complying with the principles of necessity and proportionality".

Article 35 (3): processing operations likely to involve a high risk

Automated profiling

(a) 'systematic and comprehensive evaluation of personal aspects relating to natural persons which is based on automated processing, such as profiling, and on the basis of which decisions are taken which produce legal effects for natural persons or significantly affect them in a similar way';

Large-scale processing

(b) 'large-scale processing of special categories of data referred to in Article 9(1) or of personal data relating to convictions and criminal offences referred to in Article 10',

This refers to the processing of sensitive data (genetic data, health-related data, racial and ethnic origin data, personal data relating to criminal convictions and offences, etc.).

Use of invasive technologies

(c) "large-scale systematic observation of a publicly accessible area".

Video surveillance, drones, biometric data.

Other processing operations requiring an EIPD

• Data of children under 14 years of age;

• Transfers of data, in particular in the case of an international transfer to a country outside the European Economic Area;

• Personal data that are not anonymised or not anonymised;

• Any processing involving the collection of highly sensitive data;

• Any processing involving significant collection of data;

• Cross-referencing of data, modification of the information processed or of the purpose of the processing;

• Processing of vulnerable persons (patients, elderly, children, etc.).

EIPD example: processing requiring assessment

A company implements an advertising processing operation with the aim of collecting the geolocation data of millions of individuals in order to create advertising profiles and to show them personalised advertising based on their geographical position. This processing falls into the category of large-scale processing of sensitive data (geolocation). A data protection impact assessment is necessary.

Who is involved in carrying out the DPA?

The advice of the DPO in carrying out the DPO impact assessment will be essential to avoid risks.

The controller has the obligation to ensure compliance with the GDPR.

If a DPO (Data Protection Officer) has been appointed, he or she must advise the controller and verify the execution of the impact assessment.

If a subcontractor is involved in the processing, it must provide its assistance as well as the information necessary for the performance of the PIA .

To do or not to do the PIA? → The AEPD and the Risk Analysis are the answer.

Still not clear whether any of your company's operations require an impact assessment? No problem! Once you have carried out the GDPR risk analysis you will have no doubts left.

If you don't know what a risk analysis is or how to carry it out, you can take a look at our article on GDPR risk analysis.

The aim of this exercise, which is mandatory, is to determine the existence of circumstances that subsequently require a GDPR impact assessment.

Content of the GDPR impact assessment

The EIPD guide of the Spanish Data Protection Agency shows in detail the methodology to be followed in order to prepare an EIPD in accordance with the requirements of the GDPR.

The assessment is divided into 3 main steps:

• Description (from capture to destruction of data) and context of the processing (lawfulness, necessity and proportionality);

• Identification, assessment and risk management;

• Conclusion (action plan) and validation (favourable or unfavourable conclusion).

Likewise, the AEPD recommends that the action plan should include:

• description of the control measures,

• the person responsible for implementation,

• implementation deadline.

It should also be indicated whether the PIA has been carried out on a new processing operation or on an existing processing operation.

1. In the former case, the action plan will be implemented before the processing starts, this principle is known as data protection by design.

2. In the 2nd case, the controller must set a deadline for implementing the action plan on the ongoing processing. If this time is not respected and the risk is not acceptable, the controller can, and must, request that the processing be stopped.

Article 36 GDPR: consultation of the AEPD?

"The controller shall consult the supervisory authority prior to processing where a data protection impact assessment pursuant to Article 35 shows that the processing would result in a high risk if the controller does not take measures to mitigate the risk".

If the conclusion of the PIA includes a high risk, the controller may use additional control measures to reduce the risk to an acceptable level. However, if it is not possible to mitigate the risk, the processing cannot be carried out and the controller is obliged to consult the supervisory authority.

Ideally, the Supervisory Authority will define the conditions and control measures for the processing to take place. However, if this is the case, the Supervisory Authority may also indicate that the processing may not be carried out under any circumstances.

The data protection impact assessment is a thorough, comprehensive and exhaustive process in which all aspects of the processing are assessed: from beginning to end, taking into account all variables. Fortunately, high-performance tools are now available to automate and optimise business processes and legal obligations.

Data Protection Impact Assessment Tools: 2 examples

Data Privacy Solution

Data Privacy Solution is a 100% Spanish solution for data protection within the framework of the GDPR and the LOPDGDD. The tool has been designed for all types of companies and consultants.

How does Data Privacy Solution help with the EIPD?

Data Privacy Solution enables the generation and management of EIPD by multiple users, including the DPO for review. Thanks to the SaaS model, the DPO and all users have access from anywhere and at any time.

This GDPR software indicates whether, for a data processing, a risk analysis is sufficient or requires a PPRD to be carried out. Moreover, even if only the risk analysis is required, the user can choose to also perform the risk treatment or even the entire PIDD.

Both the risk analysis and the EIPD are based on the guidelines and good practices of the AEPD (Spanish Data Protection Agency).

Privacy lawyers and information security engineers are responsible for the creation of the complete tool.

Data Privacy Solution

SEE SOFTWARE

Advanced Data Privacy Compliance Solution

Learn more about Data Privacy Solution

Smart GDPR

The online solution (SaaS) Smart GDPR meets all the requirements of the European regulation.

30 years of experience in data protection, information security and privacy protection support the legitimacy of Smart GDPR as one of the best GDPR solutions.

To date, Smart GDPR brings together all the resources necessary for GDPR compliance on a single platform!

How to do an impact assessment with Smart GDPR?

Smart GDPR offers a module that facilitates the GDPR risk assessment Module one is entirely dedicated to:

• Audits.

• Risk analysis.

• Impact assessment (PIA).

• Semi-automated action plans.

• Project management.

The module has 1460 treatment checkpoints executed by an algorithm. As a result, the time savings are considerable and the results are accurate. Smart GDPR performs in one hour what would normally take about five.

The action plan is automatically generated (based on the responses) accompanied by a detailed list of control measures to be put in place.

Each response is automatically assigned a score. In case of a score below the average, the response must be systematically reviewed by the data controller or the DPO. You can also indicate whether you wish to examine all responses.

The Smart GDPR +: covers a financial risk of up to 90 million euros in case of any failure on your part.

See all software IT Services

Automating the assessment process

Digital tools, data protection legislations and business processes are constantly evolving, implementing a SaaS solution will allow you to keep up with your obligations.