Data Protection Impact Assessments (DPIA) or Privacy Impact Assessments (PIA) are the critical risk assessments that need to be performed when potentially risky processing of personally identifiable information takes place. DPIAs are feared for their complexity and the amount of time they consume. In this article we look at the amount of effort and, resultantly, cost that needs to be considered when planning the data protection organization.
Background information
A DPIA is typically designed to accomplish three main goals:
Ensure conformance with applicable legal, regulatory, and policy requirements for privacy.
- Identify and evaluate the risks of privacy breaches or other incidents and effects.
- Identify appropriate privacy controls to mitigate unacceptable risks.
The DPIA needs to be performed when there is risk that the rights and freedoms of natural persons are endangered, mostly from a data protection perspective.
In practice, that means to consider appropriateness, necessity, proportionality, risk identification, risk analysis, and selecting and prioritizing appropriate measures.
Effort
Conducting a DPIA requires multiple people with different domain knowledge to come together and combine their expertise. The resulting risk analysis has to be easily understood so it can be evaluated with regards to the question: Are the remaining risks acceptable?
In November 2022, ECOMPLY conducted a survey asking 42 data protection experts to rate how much time effort they consider one DPIA to consume. While, of course, no two DPIAs are the same and heavily depend on context (type of processing, structure of organization, experience), the participants were asked to provide an average number. It turned out almost unanimously that a DPIA that relies on Excel spreadsheets can easily consume 3 to 4 whole days, or more than 30 hours of work.
The tools used to conduct these DPIAs are Microsoft Word, Excel sheets and the CNIL PIA. Although the idea of a DPIA is that the person in charge of the processing conducts the DPIA and the DPO merely audits the result, the reality is that DPOs are the ones conducting DPIAs while interviewing the persons in charge of processing.
Consequence
The fact that DPIAs are mostly conducted by DPOs and consume a day’s work each puts a practical limit on the number of DPIAs that can reasonably be conducted as well as on the quality of each DPIA. The main limiting factor is the resource time. What we are seeing is that the budgets and resources made available to data protection teams are insufficient to maintain DPIAs reliably.
If we assume that a working hour of a data protection expert costs about 100 Euros (more if hired externally), then each DPIA can translate a cost range up to 3000 Euros..
Approaches
Due to the lack of resources we observe that a lot of businesses are not conducting DPIAs at all. Simply, because the Data Protection Team does not have the time to do this. Of course, this approach exposes the organization to the risk of severe fines by data protection authorities due to not observing the legal obligations.
The alternative approach is the one mentioned above where the data protection team issues questionnaires (i.e. Word documents) to the people in charge of certain processings to get a better understanding of the details of the processing. The responses are then processed by a data protection team member and inserted into the CNIL PIA tool. The CNIL PIA tool is very versatile which comes at the price of complexity. In the last step, all results are put together manually into a DPIA report document, usually in Microsoft Word.
If you are reading this far, you might be interested in knowing that ECOMPLY has created a DPIA assistant. This assistant software guides the user through the entire process of conducting a DPIA with the following benefits:
- Existing information is already considered by the assistant
- The linear assistant leaves no room for confusion because it guides step-by-step
- Filling out the assistant can be delegated to free up time in the data protection team
- The software compiles all information into one concise report that allows users to easily see, archive and forward the results of the DPIA
- The assistant is built to put together a DPIA in less than two hours - all from the first thought to the finished report - yielding savings up to six hours or 600 Euros on each DPIA
Do you want to know more? Reach out today!
ECOMPLY is a GDPR compliance management software that assists in building and maintaining compliance documentation. Check out our website or contact us for more information.