May 9, 2018

DPIA Under GDPR – Consult Your Data Subjects

Author: P, Gopichand

April 23, 2018

Effective GDPR compliance requires you to consult your data subjects or their representatives while conducting a data protection impact assessment.

According to article 35(9) of General Data Protection Regulation (GDPR), while conducting a data protection impact assessment (DPIA), an organization should seek the views of data subjects or their representatives on the intended processing without prejudice to the protection of commercial or public interests or the security of processing operations.

What is a DPIA and what does it do?

A DPIA is a process for assessing the impact on privacy of a project, policy, program, service, product, or other initiative, and for taking remedial actions as necessary to avoid or minimize any negative impact. It is a key part of complying with the GDPR where high-risk data processing is involved.

DPIAs help organizations identify, assess, and mitigate or minimize privacy risks with data processing activities. DPIAs are important tools for accountability, as they help controllers comply with and demonstrate that appropriate measures have been taken to ensure compliance with GDPR requirements. In other words, a DPIA is a process for building and demonstrating compliance.

Why is consultation with data subjects important?

Consultation with the data subjects who will be affected is an important part of the DPIA process and enables an organization to understand the concerns of those data subjects. Consultation also improves transparency by making data subjects aware of how information about them is being used.

Under GDPR, non-compliance with DPIA requirements can lead to fines imposed by the competent supervisory authority. Failure to carry out a DPIA when the processing is subject to a DPIA Article 35(9) can result in an administrative fine of up to €10 million, or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Setting up a data subject consultation process

A few of the consultation mechanisms that can be considered are focus groups, user groups, public meetings, consumer panels, town hall meetings, individual interviews, paired interviews, and surveys – depending on the type and nature of processing.

To this end, here are some logical steps to help you set up a solid consultation process with your data subjects:

Design a consultation process and create guidelines for the process.
Develop a communication and response gathering strategy.
Provide your data subjects with adequate information about the project in a clear manner for them to make valid contributions; explain what the process will be, why the consultation is being undertaken, how long it will last, what are the expected results, and how they will be used.
Document the reasons, in the event your data controller’s final decision differs from the views of the data subject.
Document the justification with clear explanations for not seeking the views of the data subject, in the event your data controller decides the data subject’s consultation isn’t appropriate.

The benefits of data subject consultation

Consulting data subjects or their representatives enables your organization to:

Assess the risk to your data subjects’ rights and freedoms, and identify measures to reduce risk to an acceptable level.
Demonstrate compliance with GDPR requirements.
Foster greater trust and confidence of your data subjects and data controllers.
Benefit from options based on a wider range of views gathered.
Identify risks related to significant social or economic disadvantage.
Improve understanding of your data subjects’ needs, concerns, and expectations.
Avoid potential reputational damage at a later stage.

To conclude, consulting data subjects enhances the effectiveness of your DPIA process, which helps to ensure GDPR compliance. In the absence of a data subject consultation process, it is strongly advised that you document the reasons for not consulting your data subjects, with valid reasons to help you demonstrate compliance if challenged.

Source: CAP GEMINI https://www.capgemini.com/2018/04/dpia-under-gdpr-consult-your-data-subjects/

Are you ready to enter the limitless world of RegTech? Your journey starts here.

Request demo

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Blog

DPIA Under GDPR – Consult Your Data Subjects

Related Articles

Cryptocurrencies: An Avenue for Sanctions Evasion?

‘Bring Your Kid to Work Day’ 2023: Where iMATTER and Innovation Intersect

Debanking of PEPs – The Case of Nigel Farage

Are you ready to enter the limitless world of RegTech? Your journey starts here.