General Data Privacy Regulation (GDPR) has been one of the major players in changing business and public attitudes toward data privacy and protection. It went live in 2018 with some of the most stringent privacy directives companies had seen to date and hefty fines for noncompliance.
Thanks to the GDPR, companies now need to have a privacy policy that discloses how they collect, process, and use consumer data, follow guardrails for how to use the data in good faith and develop a Data Processing Impact Assessment (DPIA) for new projects that do or may involve consumer data.
What Is a Data Privacy Impact Assessment (DPIA)?
A DPIA is an evaluation that companies or specific business functions complete to identify whether or not a project, product, or business initiative poses any significant risk to consumers’ data privacy. Essentially, it’s a plan to help mitigate, address, and communicate these risks if they ever come to pass.
A DPIA is mandatory for any and all projects that require collecting or processing personal and sensitive consumer data for processing, and that can negatively bow back on the consumer if breached. A DPIA isn’t required for organizations as a whole but for individual projects, creations, or even business functions.
When Do You Need a DPIA?
According to GDPR, a DPIA is “whenever processing is likely to result in a high risk to the rights and freedoms of individuals.” Simply put, if your project puts consumer data at risk or can make their life harder, you need a DPIA.
Some other examples of times you may need a DPIA include:
- If a new feature of your app needs/processes social security numbers, bank account numbers, or driver’s license information on a large scale
- If you’ve set up surveillance in large public spaces
- If you systematically and extensively collect information about a person in order to build a profile on them (which includes a lot of modern marketing)
- If you frequently check your customers’ credit in a reference database.
Essentially, any business operation that requires consumer data on a large scale should have a DPIA prepared to outline potential risks and routes for resolution.
When Should You Create a DPIA?
A DPIA won’t be valid if it is created after the project it is set to govern. Instead, the DPIA needs to be developed while the project itself is being developed, so that companies can accurately outline their process, how they plan to collect and use data, and their risk mitigation strategy should anything go wrong.
Benefits of DPIA
The DPIA is a critical part of a business’ privacy compliance strategy, not just because of the heavy fines, but also because it encourages customer trust.
Eighty-seven percent of respondents to a McKinsey survey said they would not do business with a company if they didn’t trust its privacy practices. Creating a DPIA is a major part of building this trust, as it lets consumers know that you take their privacy seriously.
Takeaways
As the business world becomes more data-driven and customers become more attentive to who uses their data and how creating a DPIA — and updating it regularly — is a necessary step for maintaining compliance and building up consumer trust.
Subscribe to the LinkSquares Blog
Stay up to date on best practices for GCs and legal teams, current events, legal tech, and more.