Data is becoming increasingly valuable, and there will inevitably be exploitation of subjects’ private information in a rapidly expanding internet age. Because the illegitimate and unauthorised processing of personal data can cause significant harm to individuals, the protection of personal data of subjects is intended to ensure such individuals’ rights and freedoms in relation to their data.
Data protection regulations are required to ensure the fair provision of services to individuals, as well as a trustworthy environment in which customers can trust the brands and companies with whom they share their personal data.
Data Impact Protection Assessment is therefore an evaluation you undertake as a data controller or the data processor. This process helps you identify and assess potential risks in the processing of data. The aim is to assess these potential risks, mitigate and decide whether they are too high.
In very simple terms, when an organisation needs to get on a project that requires the survey and processing of the data of many persons, it is likely that there are risks going to be associated with such level of processing, A DPIA is needed here to first, assess the risk, weigh them and decide how much risk is involved.
For better understanding of this concept, we will begin by defining some terms.
Data Controllers – In simple terms, this is a person or an organisation that determines the purpose or what will be done with the personal data of subjects, this person determines what way data will be processed.
Data Processor – A Data Processor acts on Data Controller’s instructions, and although they can make a certain decision about the way the processing will be done, has limited control over data. Examples of Data Processors can be digital payments firms, or a printing company organising the personal data of the clients of a data controller.
Personal Data – According to the General Data Protection Regulation (GDPR), Personal Data is any information that relates to an identified or identifiable living individual. An example of this is information about your name and your place of residence.
This information when put together can be used to identify you; this is the reason the law steps in to protect your data.
What Does the GDPR Say About It?
A Data Protection Impact Assessment (DPIA) is required under the GDPR any time you begin a new project that is likely to involve “a high risk” to other people’s personal information.
Article 35 of the GDPR covers the provision of Data Protection Impact Assessment. The DPIA is a requirement under the GDPR as part of the “protection by design” principle.
From the provisions of Article 35 of the GDPR, DPIA is required in some of the following cases:
- If you are using new technologies
- If you are tracking people’s location or behaviour
- If you are systematically monitoring a publicly accessible place on a large scale.
What is the Rationale Behind It?
The implementation of a Data Protection Impact Assessment (DPIA) is an important aspect of the General Data Protection Regulation (GDPR) accountability obligations of an organisation.
The rationale behind it is to identify risks to data processing. To protect the data of subjects. To control and mitigate the risks that come with data processing.
Comparative Analysis of the Provision of DPIA in Nigeria and Kenya
- Is the DPIA a Mandatory Requirement?
In Nigeria, the Nigeria Data Protection Regulation is the major regulation on Data Protection in Nigeria and it was released in 2019. Under the NDPR, there is no mandatory requirement to undertake a DPIA. However, the Implementation Framework released in 2020, requires Data controllers and processors to conduct a DPIA. Due to the fact that the Implementation Framework does not have legislative power of its own and is derived from the NDPR, this provision can be challenged.
In contrast, DPIA is explicitly provided for in Section 31 of the Data Protection Act of Kenya, and DPIA is a mandatory requirement where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes.
- Under What Circumstances Should a DPIA be Conducted?
In Nigeria Under the Data Implementation Framework, a DPIA should be conducted where the organisation intends to embark on a project that would involve the intense use of personal data, a DPIA should . be conducted to identify possible areas where breaches may occur and devise a means of addressing such risks.
In addition to this, where the processing involves; evaluation or scoring (profiling), automated decision-making with legal or similar significant effect; systematic monitoring; when sensitive or highly personal data is involved; when personal data processing relates to vulnerable or differently-abled data subjects; and when considering the deployment of innovative processes or application of new technological or organisational solutions.
Regulation 49 (1) of Kenya’s Data Protection (General) Regulations, outlines the processing operations considered to result in high risks to the rights and freedoms of a data subject. The inclusion of processing of biometric or genetic data is a unique requirement not provided for in most laws.
In essence, where an organisation wants to conduct a survey and needs to profile people, especially their performance at work, economic situation, health, personal preferences or interests, behaviour, location, or movement. In this instance, a DPIA is strongly recommended.
- What are the Contents of a DPIA?
In Nigeria, the Implementation Framework provides in the Audit template, that DPIA policy should be able to address the following issues
- a description of the envisaged processing operations;
- the purposes of the processing;
- the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subject; and
- risk mitigation measures being proposed to address the risk.
In Kenya, the DPIA must include the following (Section 31(2) of the Act):
- A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller or data processor;
- An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- An assessment of the risks to the rights and freedoms of data subjects; and
- The measures envisaged to address the risks and the safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with the Act, taking into account the rights and legitimate interests of data subjects and other persons concerned.
A reoccurring element in the above provisions show that a systematic description of the processing and an assessment of the necessity and proportion of the processing is vital.
A DPIA is typically completed by documenting:
- The nature of processing – what you intend to do with the data,
- The scope – what data will be processed,
- The context – internal and external factors that may affect expectations or impact, and
- The Purpose – why the organization wants to process the data.
- The assessment should also identify any technical and organizational measures that should be implemented to mitigate the identified risks as well as measures to monitor compliance with those measures.
Conclusion
To identify, assess, and manage the potential risks associated with the use of personal data, organizations should conduct a data impact assessment, where applicable. This assessment can help organizations identify areas where they can make better use of their data to provide better customer service and develop more effective strategies. By taking a proactive approach to data protection, organisations can reduce their exposure to data protection risks, and ensure that they are compliant with applicable data protection regulations.
Contributor(s):
Deborah Nwanguma
image source: www.vecteezy.com
