DPIA stands for Data Protection Impact Assessments for Digital Advertising and refers to a standard for risk evaluation and management in the context of data processing across the online advertising industry under GDPR.
Benefits of DPIA
In plain words, DPIA provides somewhat a roadmap for digital advertising businesses across Europe, aimed at assessing risks, regarding their processing of Data Subjects’ Personal Data and managing these more effectively. In such a way, DPIA helps facilitate their compliance with GDPR principles, when applied together with the TCF 2.0 framework.
When & How to Get Started with DPIA
The fact is, DPIA should be perceived rather as a dynamic action, not the static record. As the IAB Europe experts explain, the process needs to be incorporated into the product design and development flow.
In particular, a company’s DPIA should start early in the development process for it to reflect the “privacy by design” and “privacy by default” principles of GDPR.
The process implies engaging a cross-functional team of professionals, i.e. product designers and engineers, as well as a company’s Data Protection Officer (DPO) and information security specialists.
Namely, the expected flow comprises nine stages and requires the following:
- Establishing a DPIA team.
- Defining the objectives & the context of Personal Data processing, and making sure all team members have a clear understanding of these.
- Putting the “privacy by design” and data minimization principles into practice, while developing a product: i.e. putting End Users’ privacy rights first and reducing the amount of the Personal Data processing to the minimum, required for meeting the established objectives.
- Evaluation of possible risks to Data Subjects’ privacy in the context of data processing, retention and disclosure to third parties, and applying risk mitigation measures, accordingly.
- Assessment of residual risks, as well as the legality & proportionality of data processing under GDPR.
- Continuous maintenance of DPIA both in terms of compliance, and risk management/mitigation.
Keys to Risk Assessment in DPIA
A comprehensive way to assess possible risks to End Users’ privacy rights is to multiply the likelihood of the so to speak adverse event by the severity of its potential consequences.
Risk level = Likelihood*Severity
In this respect, the evaluation of likelihood is usually based on businesses’ understanding of causes of the event, as well as its potential triggers & catalysts, the responsible party for the event herein, and the analysis of its past occurrences, if any.
Namely, the assessment scale basically includes five levels:
- Remote
- Unlikely
- Possible
- Likely
- Almost certain
As for the severity analysis, the process implies the evaluation of potential consequences of an adverse event, like those arising from the disclosure of the Data Subject’s Personal Data.
The severity assessment scale also implies 5 levels:
- Negligible
- Minor
- Moderate (e.g. damage to an individual’s personal relationship and/or social status)
- Major (e.g. ID theft)
- Extreme (e.g financial loss, job loss, individual’s health risks, etc.)
For more information on how to handle Data Protection Impact Assessments, please refer to IAB Europe’s DPIA guidelines.