A Data Protection Impact Assessment (DPIA) is a systematic analysis of data processing activities to help identify and mitigate risks to individuals. The Data Protection Act, 2019 (DPA) mandates that organisations carry out a DPIA when a data processing activity poses a high risk to the rights and freedoms of data subjects. This guide summarises the steps in conducting a DPIA based on guidelines from the Office of the Data Protection Commissioner (ODPC).
Step One: Identity The Need For a DPIA
The first step is determining whether a DPIA is required. Under the DPA, a DPIA is mandatory for any data processing activity that poses a high risk to the rights and freedoms of individuals, particularly if the process involves:
- Large-scale data processing.
- New technology that may impact data privacy.
- Processing sensitive personal data, such as health, genetic or financial data
- Concerns vulnerable subjects.
- Automated decision-making with a legal or similar effect.
- Systematic monitoring.
This step involves evaluating the data processing operations to ascertain whether they meet the threshold for risk that requires a DPIA. Below are a few examples of projects involving processing activity that may necessitate the need for a DPIA:
- A healthcare startup wants to launch a new digital health platform that collects and stores sensitive patient information, including medical histories, lab results, and treatment plans.
- A security company designed a new technology that uses facial recognition scanning that can potentially be used for mass surveillance.
- A bank builds AI-driven software for loan approval, where decisions are made based on automated profiling and analysis of user data.
It is important to note that a DPIA must be conducted before any processing activity concerning the project.
Step Two: Define Responsibilities & Standards
Organisations should establish who is responsible for carrying out the DPIA. This process is typically led by the Data Protection Officer (DPO) or an equivalent nominated authority such as the Head of IT.
This step also includes identifying the relevant laws, regulations, and policies applicable to data processing, such as the DPA, the General Regulations and other applicable standards that the organisation is subject to.
Step Three: Identify Personal Data Involved
This entails determining the kind of personal data that will be collected, processed, and stored. The following aspects should be detailed:
- Categories of personal data (e.g., names, addresses, financial details);
- Categories of sensitive personal data (e.g., genetic data, marital status, biometrics);
- Data subjects affected (e.g., clients, employees, suppliers); and
- The purpose for collecting data.
Step Four: Outline The Data Life Cycle
This step entails understanding the entire data life cycle, from collection to deletion. This involves mapping out the various stages through which the data will pass, including:
- Data acquisition:
- How is the data collected? (e.g., through user interaction with the product, forms, data brokers)
- What is the purpose for collecting the data?
- Data processing:
- What processing activities are performed?
- How is the data used? (e.g., marketing communication, administration of employee benefits, creditworthiness assessments)
- Is the data transferred outside of Kenya? What safeguards are in place in relation to this?
- Data storage:
- Where and how is data stored?
- Is it regularly backed up?
- Where are the servers located?
- What form is it stored in?
- What security measures are in place?
- Is the personal data collected relevant, accurate, and limited to what is strictly necessary for the purpose?
- Data retention:
- How long is the data retained for?
- For what purpose?
- Data deletion:
- What are the procedures for securely deleting data after the retention period ends? (e.g., anonymisation, shredding of physical records, transfer to National Archives)
Step Five: Establish the Legal Basis for Processing
Each data processing activity must have a lawful basis as provided under the DPA. The organisation must document the specific legal basis for each type of data processing. The common legal basis are as follows:
- Consent from the data subject:
- Is consent given freely given, specific, unambiguous?
- How is this collected?
- Is there a record of these consents?
- Performance of a contract;
- Compliance with a legal obligation;
- Legitimate interests pursued by the data handler:
- Would the individual reasonably expect their data to be used in this way?
- Could the processing cause unwarranted harm to the individual?
- Do the individual’s interests override the data handlers in this case?
- Is there a clear justification for proceeding with the processing despite any potential conflict with the individual’s interests?
Step Six: Consider Data Subjects Rights
The DPA provides data subjects with various rights in relation to their personal data. These include the right to access their personal data held by an organisation; the right to rectify any inaccuracies; the right to erasure; the right to restrict how their data is processed; the right to object; the right to privacy; and the right to data portability. These rights must be upheld throughout the data processing cycle. The organisation must assess the following regarding the data subject rights:
- Are data subjects informed of their rights?
- What mechanisms are in place to enable data subjects to exercise these rights?
Step Seven: Assess Risks and Impacts
Organisations must identify any potential risks that could arise from the data processing activities and evaluate the impact of each activity, considering data sensitivity, volume, breach likelihood, and potential harm. Organisations should consider the following:
- What are the risks of processing the data? (e.g., data breach, unauthorised access)
- What would be the extent of the impact should any of the risks manifest?
- What are the main threats that could lead to the risk? (e.g., poor security standards, phishing attacks, malware)
Step Eight: Propose Solutions and Mitigation Measures
The step involves identifying the planned or existing measures to mitigate the identified risks. This may include a combination of organisational and technical measures such as encryption, access controls, segmenting data, multi-factor authentication, password requirements, staff training, policies, regular backups and more.
Step Nine: Reporting to the ODPC
After concluding the DPIA, organisations may be required to report their findings with the ODPC if the results show that the processing will pose a high risk to the rights and freedoms of data subjects that cannot be mitigated. Organisations must report to the ODPC at least 60 days before the project launch or processing activity commences.
Conclusion
A DPIA is an essential tool for safeguarding personal data and ensuring compliance with data protection regulations. By following these steps, organisations can not only identify and mitigate risks but also demonstrate accountability and transparency in their data processing practices. If you or your organisation needs support on data protection compliance, registration, breach handling or more, BDPS has a team of specialists to assist you. Please contact us at info@bdps.co.ke with your query.
Written by Cherono Barno