Written by: Mohit Sahgal

An organization’s ability to perform a Data Protection Impact Assessment (“DPIA”) on a consistently repeatable basis is critical to the success of any GDPR program.  For many organizations with hundreds, if not thousands of disparate systems, often distributed across heterogenous platforms, keeping track of what data exists where is very difficult.

Clearly, a DPIA cannot be performed manually.  Therefore, automation and orchestration is the only reasonable, practical solution to intelligently catalog key “data at rest.”  Without sophisticated analytics, such as Informatica’s CLAIRE™ engine, which utilizes powerful artificial intelligence techniques to interrogate, index, and integrate insight from multitudinous data stores, conducting impact assessments would be impossible.  Informatica’s Enterprise Data Catalog (“EDC”) must be on the short list of necessary software to enable and execute a DPIA.  Through the use of advanced “scanners,” EDC automatically catalogs and classifies all types of data, making sense of both similar and dissimilar data, and storing this information in a central metadata repository, which can be then be searched and enriched with additional context. Contextualizing the content for consumers completes the 360-degree view of subject metadata.  Once this view exists, an organization can then begin to decide how best to address both subject consents and rights.

The UK Information Commissioner’s Office (“ICO”) provides several guidelines on how to conduct DPIA.  Assuming an organization is subject to GDPR, the following DPIA approach is organized around 10 major steps, which complement the UK ICO’s guidelines:

  1. Scan all data stores– Including all systemic; that is, structured (e.g., SQL Server, Oracle) and unstructured (e.g., Excel, PDF, Email) data stores, and non-systemic (e.g., paper records), for any potential personal and sensitive information.  See Article 4 (definitions).
  2. Record data lineage and data processing – From source to target; that is, every organization must be able to describe how subject personal or sensitive data is collected, stored, used, deleted or transferred across the supply chain, and with any third party.  In addition to Article 6, there are several other Articles which require review:  Article 9 (special categories) and Article 22 (automated decisions).  Chapter IV, Section 1, Articles 24 – 31, cover the general obligations for controllers and processors, specificallyArticles 29 (requirements for controllers and processors) and 30 (recording processing activities).  And, Chapter V, Articles 44 – 50 (transfers).
  3. Evaluate “high risk” data processing– Including all processes which act on or use subject personal or sensitive data, including any scoring, automated decisions, and systematic monitoring.  See Article 5 (processing principles), and Article 6 (lawfulness).
  4. Evaluate risks to subject consent and subject rights – Articles 7 and 8 cover consent requirements, and Chapter III, including Articles 12 – 23, cover the 8 basic subject rights, communication, and document management required with the subject.
  5. Identify risk remediation strategies – For each risk and/or vulnerability, qualify and prioritize the operational risk remediation options and implementation approach.
  6. Identify systemic improvements– In addition to identifying, evaluating, and remediating risks, GDPR also requires attention to risk detection and prevention.  GDPR calls this “data protection by design.”  See Article 25.
  7. Document DPIA results – Record all the DPIA outcomes.  See Article 35 (DPO role and responsibilities) and Article 30 (record all processing activities).
  8. Proactively disclose– When a “high risk” has been identified and it is a known deficiency or vulnerability, the organization should consult with the EU regulatory authority(s).  See Article 36 (consultation with supervisory authorities) and Article 58 (supervisory authority powers).
  9. Communicate – Article 12 covers general communication protocols with a subject and Article 34 covers communications in the event of a breach.  In addition, internal communications management, knowledge management, and training are required to institute appropriate “data protection by design” procedures.
  10. Improve – Necessarily, a DPIA must be performed on a regular and frequent basis to continuously assess the impact of risks, risk mitigation and improvement results, and assure compliance with new data management policies.  The greater the degree of consistency and repeatability, the greater the opportunities to address gaps, and improve confidence that a commensurate response to GDPR is effective and efficient.

GDPR is a formidable regulation.  Knowing where to start and how to start can rationalize what appears to be a daunting task.

References:
1. Informatica EDC, https://www.informatica.com/content/dam/informatica-com/global/amer/us/collateral/data-sheet/enterprise-data-catalog_data-sheet_3238en.pdf
2. UK ICO DPIA Guidelines, https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/