Data Protection Impact Assessments
A Data Protection Impact Assessment (DPIA) is a tool for building and demonstrating compliance with the GDPR. A DPIA applies a systematic process for assessing the impacts of the processing of personal data and the effect that processing has on the fundamental right to privacy of the data subject (e.g. patient). The DPIA process is not a one-time exercise and should be continuously reviewed and regularly re-assessed.
In some cases, a DPIA is voluntary. However, in many areas of the HBP, a DPIA will be mandatory. Specifically, in areas where the processing of personal data has the potential to “result in a high risk to the rights and freedoms of natural persons.” In particular, HBP platforms, and more generally the scope and subject matter of research in many of the SPs contains special categories of sensitive personal data (e.g. medical data).
The HBP is starting its DPIA work in SP8 with the Medical Informatics Platform (MIP). The SP8 DPIA will apply the methodology created by the Commission Nationale de l'Informatique et des Libertés (CNIL, the French Data Protection Authority). The CNIL methodology is supported with open source software tools for conducting a Privacy Impact Assessment (PIA), which are useful in conducting a DPIA. Furthermore, the CNIL guidance incorporates the requirements of the GDPR and the Working Party 29 opinion on DPIAs. The CNIL methodology can be combined with other DPIA methods including those developed by the ISO (International Organization for Standardization).
The sources below will be of interest to SPs interested in starting a DPIA:
- CNIL Privacy Impact Assessment (PIA) methodology
- CNIL Privacy Impact Assessment (PIA) open source software
- ISO/IEC 29134:2017, ‘Information technology -- Security techniques -- Guidelines for privacy impact assessment’ (2017)
- UK Information Commissioner's Office (DPA), ‘Conducting privacy impact assessments code of practice, Information Commissioner’s Office (ICO)’ (2014)
- UK Information Commissioner’s Office, ‘Consultation: GDPR DPIA Guidance’ (22 March 2018)
- Working Party 29 248, 'Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, wp248rev.01' 1-22 (2017)
- Wright et. al., ‘Integrating privacy impact assessment in risk management’ (2014) 4 International Data Privacy Law 155-70
This page was last updated on 08/05/2018.