According to article 35(9) of General Data Protection Regulation (GDPR), while conducting a data protection impact assessment (DPIA), an organization should seek the views of data subjects or their representatives on the intended processing without prejudice to the protection of commercial or public interests or the security of processing operations.
What is a DPIA and what does it do?
A DPIA is a process for assessing the impact on privacy of a project, policy, program, service, product, or other initiative, and for taking remedial actions as necessary to avoid or minimize any negative impact. It is a key part of complying with the GDPR where high-risk data processing is involved.
DPIAs help organizations identify, assess, and mitigate or minimize privacy risks with data processing activities. DPIAs are important tools for accountability, as they help controllers comply with and demonstrate that appropriate measures have been taken to ensure compliance with GDPR requirements. In other words, a DPIA is a process for building and demonstrating compliance.
Why is consultation with data subjects important?
Consultation with the data subjects who will be affected is an important part of the DPIA process and enables an organization to understand the concerns of those data subjects. Consultation also improves transparency by making data subjects aware of how information about them is being used.
Under GDPR, non-compliance with DPIA requirements can lead to fines imposed by the competent supervisory authority. Failure to carry out a DPIA when the processing is subject to a DPIA Article 35(9) can result in an administrative fine of up to €10 million, or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Setting up a data subject consultation process
A few of the consultation mechanisms that can be considered are focus groups, user groups, public meetings, consumer panels, town hall meetings, individual interviews, paired interviews, and surveys – depending on the type and nature of processing.
To this end, here are some logical steps to help you set up a solid consultation process with your data subjects:
- Design a consultation process and create guidelines for the process.
- Develop a communication and response gathering strategy.
- Provide your data subjects with adequate information about the project in a clear manner for them to make valid contributions; explain what the process will be, why the consultation is being undertaken, how long it will last, what are the expected results, and how they will be used.
- Document the reasons, in the event your data controller’s final decision differs from the views of the data subject.
- Document the justification with clear explanations for not seeking the views of the data subject, in the event your data controller decides the data subject’s consultation isn’t appropriate.
The benefits of data subject consultation
Consulting data subjects or their representatives enables your organization to:
- Assess the risk to your data subjects’ rights and freedoms, and identify measures to reduce risk to an acceptable level.
- Demonstrate compliance with GDPR requirements.
- Foster greater trust and confidence of your data subjects and data controllers.
- Benefit from options based on a wider range of views gathered.
- Identify risks related to significant social or economic disadvantage.
- Improve understanding of your data subjects’ needs, concerns, and expectations.
- Avoid potential reputational damage at a later stage.
To conclude, consulting data subjects enhances the effectiveness of your DPIA process, which helps to ensure GDPR compliance. In the absence of a data subject consultation process, it is strongly advised that you document the reasons for not consulting your data subjects, with valid reasons to help you demonstrate compliance if challenged.
To learn more about how our governance, risk management and compliance (GRC) services can assess your GDPR compliance and help save time and money for your clients, contact: firstname.lastname@example.org
Learn more about how Capgemini’s GDPR portfolio can enhance your reputation and deliver real business value.
Gopichand Patibandla, is an experienced GRC and Audit Assurance professional. He has successfully managed many ITGC/SOX/SAS70/SSAE16/ISAE3402 projects for multiple clients. Prior to joining Capgemini, Gopichand held a variety of roles, including implementation of large IT projects and management of various IT processes in a large financial organization. He has extensive experience in performing gap analysis, compliance assessments in the areas of IT risk, IT governance, privacy, and security.