If you want to know whether all privacy aspects of an application, system or process have been taken into account, you can perform a DPIA. For processing with higher risks, such as sensitive personal data or the monitoring of persons, it is even mandatory to map out the risks in this way. The controller is responsible for this as a whole. But many organizations run into practical questions during the implementation: which officer actually carries out such a DPIA? Is it convenient to allocate the tasks, or is the execution a task that has already been legally assigned to an officer? In this article, we explain whose plate this honorable job could end up on, and why.
Is knowledge of privacy law a requirement?
A DPIA is actually an extensive questionnaire, which includes all the requirements of the General Data Protection Regulation (GDPR). By answering all questions (or noticing that the answer is not yet known), a judgment can be made whether the processing can be started. Due to the legal requirements set by the GDPR, the wording in most standard questionnaires is also somewhat technical. The operator must therefore be familiar with the meaning of terms such as ‘processing’, ‘personal data’ and ‘legal basis’.
Moreover, the purpose of a DPIA is to map out the risks. The operator must therefore be able to estimate which risks may specifically play a role in the intended process or system. For this reason, being familiar with privacy issues is indispensable to make a good risk analysis.
Is the DPIA reserved for privacy officers?
However, a DPIA does not have to be performed by a privacy officer or even by the data protection officer (DPO). First of all, basic knowledge about privacy, such as the concepts mentioned above, is necessary for most employees to have. Certainly for process owners or managers, who are responsible for the implementation of a system or process, it is necessary to be somewhat familiar with the requirements of the GDPR. You do not need to have had a training in privacy law to perform a good DPIA.
In addition, it is specifically not allowed for the DPO to interfere too much with the execution of the DPIA. The DPO has the legal duty to ‘check’ the DPIA. When they complete the questionnaire themselves, there is not much left to check. This would be at the expense of the supervisory tasks that the DPO has: the well-known butcher who inspects its own meat.
Knowledge of the processing is essential
In order to thoroughly map out the risks of a proposed processing, it is necessary to know all the details of the system or process. For this reason, the DPIA is often assigned in work processes to a process owner or manager who is responsible for the implementation. The practical elaboration of the plan can thus be measured against the yardstick of the GDPR, and any problems can be addressed directly in the implementation. As described above, good training when performing DPIAs is of course necessary.
Another possibility is to separate a questionnaire about the practical details of the system or process from the actual DPIA. An employee or manager with knowledge of the details can fill in this questionnaire, after which an expert in the field of DPIAs (for example an internal privacy officer or an external advisor) takes care of the elaboration of the risks. This is often more time-consuming for the entire process, because not all details for the DPIA are already provided directly in the questionnaire. The operator must then return to the relevant department for more information.
If the shoe fits, put it on
Which method is best differs per organization. Are many DPIAs performed and are you willing to invest in thorough training? Then it pays to designate a responsible supervisor for each department. Hopefully, with the help of the feedback from the DPO, the quality of the DPIAs performed will continue to improve. If a DPIA is only occasionally performed, it may make more sense to delegate this task to a privacy officer, who uses input from the departments to map out the risks. An external party can also help to uncover all risks, often with a more neutral view and with less risk of influence on the work floor.
As much as organizations often want to quickly start implementing new plans, carefulness with regard to personal data is of great importance. A DPIA that has not been performed or has been performed poorly can be the start of an expensive process, be it because all kinds of measures have to be taken later in an ongoing process, or because the regulator imposes a fine or compensation.
The extensive DPIA questionnaire in the Privacy Verified portal guides a user through a DPIA in a clear and understandable way. After all, a useful model for carrying out DPIAs can also make a big difference, in addition to the responsible executor.