Blog

DPIA: Meaning, Approaches, and Best Practices for Your Data Protection Impact Analysis

In today’s world of privacy regulation, it’s important to understand the mechanics of compliance rules. For privacy regulation in particular, these rules include the creation of key artifacts that show regulators and customers that the company understands and can address key components of the regulation. Your company’s data protection impact analysis, or DPIA, is one such artifact.

In this post we’ll explore what DPIAs involve, the key components to creating your own, and  and how NetApp Cloud Compliance for Cloud Volumes ONTAP and Azure NetApp Files can help you approach this important first step.

What is DPIA?

A Data Protection Impact Analysis (DPIA) is a design analysis requirement for any new system that processes data in keeping with privacy laws, such as GDPR and similar regulations. Typically, a DPIA should take place before substantive development or deployment in order to clarify the information captured, the security of that information, as well the overall risk to the project or plan that data poses.

Now that we have the DPIA meaning out of the way, let’s look at some of the specifics. When it comes to the GDPR process, to satisfy the DPIA requirement the business (or data controller, as GDPR defines it) must specifically:

1. Develop a data processing impact statement for the proposed system to clarify the reason why sensitive personal information is collected, processed, or stored.
2. Develop a systematic description of the system, including:
    • Justification for the collection, processing or storage of privacy data (specific elements).
    • An estimate of the amount or volume of information to be processed.
    • Assessing the rights/regulations protecting persons subject to the collection or processing of personal information.
    • Take measures to assess risk and develop appropriate Data Protection Policy, security controls, and mitigations to protect, control, and safeguard the stored sensitive information and how this will remain compliant with relevant regulations (including consent controls).

3. Take steps to reassess risks and changes to the operational system that might impact the existing DPIA and require an update.

The US and the EU approach to a privacy impact assessment differ a little in the level of the assessment expected and the type of system in scope, but the general DPIA meaning is the same. Based on the location of your organization, it could be that you will find a template or model for the document provided by the most relevant authority. These templates are designed to provide a checklist approach to the legal and technical steps that are required to document the deliverable.

In the following discussion, we will go over the typical sections of a successful approach to a DPIA and approaches you can take, including using NetApp Cloud Compliance for your Cloud Volumes ONTAP cloud data.

How to Complete the Privacy Impact Assessment

The main components of a DPIA are to describe the system and system features that relate to data security and control functionality. Requested format and specific information may vary, based on regulatory authority, but the following sections are common to them all.

System Identification

For system identification the enterprise defines the specific system or plan by describing its specified purpose, name, and technical, geographic and operational constraints.

For example, a system might be described as being designed and created for the collection of marketing information within a specific country, collecting that data from a website and storing it in a regional database. The report would also describe the supporting systems and technical controls that are configured to protect that information from hackers and other external threats, and how employees are trained to handle and protect that data. The policy and notices written to tell users the reason for the collection of information and the lifecycle of that data would also be included in this description.

Notice, Choice, and Consent

A notice, choice, and consent section would describe the processes and controls in place at the company to address notification, and document the policy and procedures for collection, consent (typically prior to any use)

The controls in place can include the company’s security and privacy policies, the procedures for collecting information, procedures for obtaining consent, as well as a description of how the information is maintained, protected, and stored. Because multiple systems and third-party vendors may be included in this process, the collection of systems should be documented, ensuring that each system provides protections appropriate to the regulations that are in question. 

Specific considerations that should be included are 1) an assessment of the information collected to ensure that it is only the minimal information required, 2) processes for any further processing (other than as initially indicated) and the review and handing prior to such use, and 3) policies in place to ensure processing specific restricted information (e.g. criminal conviction information) is handled according to legal compliance rules.

Data Specification, Lifecycle, and Limitations

Any data collected that is in scope for privacy regulation should be identified clearly and categorized as to its purpose and type. This could include a variety of data fields that would be identified, or system files that would hold personal information. Procedures and policies would clarify data processing lifecycle, from how data is captured to how it is processed, stored, and disposed. Processes must include how to remove personal information and what the approved process for authorizing changes to the data lifecycle is.

Control requirements include data retention and storage controls to ensure that there is only approved access to sensitive data.

The description should also include other data protection policy, procedures and controls that are in place to see if an unexpected change occurs in the system that would potentially change the security or integrity of that information.

Other specific considerations to document are those in place to ensure privacy/personal information is not processed or maintained longer than necessary to support the purposes for which they were collected.

Privacy Program Management

This section of the DPIA should describe the company processes used to effectively manage the system and data collected, including communicating with customers or users when changes to that system affect subject rights and/or use of data changes.

You would also indicate any control requirements that are in place, such as those used to track data to ensure changes to backend systems.

The analysis should take into account specific considerations to prepare your enterprise for responding to data subjects access requests and how to provide that information and associated data lifecycle controls.

Accountability

Description – System owners must determine the acceptable legal basis for processing data according to state, country or regional authority as well as customer and vendor contracts. This is an assessment of determining that the means and methods for collecting and processing privacy data are not in violation of regulatory restrictions.

Control requirements for regulatory compliance tend to focus on ensuring that system documentation and technical safeguards are maintained. Compliance programs often focus on the structure of a controls framework that include risk assessment – control deployment – monitoring and reporting functions.

Specific technical security safeguards should be documented and described that show that procedures are used to maintain confidentiality, integrity, availability and resilience of processing services, data backup and recovery. Many security frameworks can be audited regularly.

Monitoring

A DPIA also has to take into account an organization’s methods to ensure compliance of their data collection, processing, and safeguards. This will require monitoring issues such as error conditions, incident root cause analysis, and interactions with data subjects and regulatory authorities. Reporting is typically required for breach and significant changes in the data collection or processing practices.

Monitoring controls focus on collecting evidence in a consistent manner. Controls that monitor threat conditions should be used to monitor for changes. This data should be examined to show trending behavior or activities that indicate potential new risks.

Specific control considerations to specify include mechanisms in place to ensure readiness to address breach and communications with the appropriate authorities.

Third-Party Vendors

Organizations must have policies and procedures for addressing use of third-party vendors in the collection or processing of personal and private information. This extends sufficient assurance to the data subjects that the information the company processes is maintained and secured according to notice, consent, and other privacy policies of the enterprise.

Controls on third party vendors must be codified in contract and/or other documented controls to ensure technical safeguards of data are in place and working as expected. Additionally, vendor changes to address business or other requirements must trigger reassessment of DPIA documentation of the third-party vendor relationships, and possibly notice and consent with data subjects.

Successful Approach Techniques

As you can see, the DPIA common components are common building blocks of many existing security and compliance programs and, hopefully, some security and risk management practices already in place can be referenced to be part of your DPIA.

Role based Access controls, data encryption and other data protection methods are likely to be enterprise wide and part of your DPIA description. However, it’s worth noting that, new regulations are more in alignment with concepts such as “continuous” monitoring and data awareness. Your data privacy protections shouldn’t just come into play after regulations are violated, they should help prevent violations before they take place.

One way that NetApp is helping to protect companies better protect themselves with such always-on privacy controls is with NetApp Cloud Compliance feature of Cloud Volumes ONTAP and Azure NetApp Files. Cloud Compliance supports your data compliance journey by providing a means for companies to address regulatory requirements to manage and secure private data in the cloud.

How does it work? Cloud Compliance uses artificial intelligence (AI) to scan data throughout your cloud volumes.

Additionally, Cloud Compliance offers key features that will assist your firm in maintaining compliance with data privacy regulations, including:

  • Automated Data Protection Impact Analysis Report
  • Automated Data Subject Access Request reports
  • Alerts to identify potential compliance policy risks

These are all valid controls for better defining exact DPIA reports and will help to maintain better security while remaining compliant with privacy regulation such as GDPR regulation and other regulations.

Conclusion

Understanding how data privacy regulations will affect your company is written into the data privacy regulations themselves. Defining your DPIA, meaning the stance your company will take towards the regulation, can be a significant early hurdle on the way to being compliant with new and changing regulations. 

Technical controls for achieving and maintaining compliance that remove the burden of manual searching can go a long way towards creating accurate DPIA assessments. For Azure NetApp Files and Cloud Volumes ONTAP users, that’s a lot easier with the new Cloud Compliance technology.

 Read more about Cloud Compliance.

-