The pitfalls of DPIA

Data Protection Officers are under a huge pressure to produce Data Protection Impact Assessments, although it's not their jobs. Yes, you heard me right, it's not their jobs. A DPIA should be performed by the owner of the processing operation that is analysed or by someone from the team responsible with the processing. The DPO should approve, reject or advise. And yet, this rarely happens. Moreover, DPOs are pushed to produce DPIAs that demonstrate that the processing operation under scrutiny is compliant, with some minor adjustments. And these are just some of the pitfalls of DPIA. Let's dive in.

The DPO as DPIA maker.

We know the theory. We know the DPO role should be a management role, reporting to the CEO. Let's face it, it's not happening. Moreover, in the majority of cases, the DPO is in a conflict of interest. So the DPO also receives the task of performing the DPIAs. At the same time, the DPO should sign off the DPIA. See the conflict?

If the DPO performs the DPIA, as it happens today, the people responsible with the processing might not really understand the risks that are addressed by the conclusions of the DPIA and might ignore them completely. Hence, huge risks related to the rights and freedoms of people. A DPIA is not a "make it and forget it" document, it is a living and breathing approach to real data protection.

The DPIA as a "compliance" document.

Supervisory authorities issued many guidance documents on when to perform DPIAs. Thus, companies woke up with the obligation to perform DPIAs. So many of them chose to work on documents that demonstrate that the existing compliance measures related to a processing are enough. Maybe with some small adjustments, but not too many.

Most of the DPIAs I've seen performed by internal teams were "justification" documents, not thorough risk analyses. Many "in your face" risks were ignored, or minimised just to come up to the conclusion that the processing operations are low-risk, when in fact they were high-risk. Superficial analyses to justify low security and privacy investments.

I have never seen internal DPIAs stating that the processing should not happen at all. Many of the processing operations stopped by Supervisory Authorities had shallow DPIAs to back them up. Those were not DPIAs, those were in fact marketing documents.

A DPIA should thoroughly analyse all the aspects of a processing operation, analysing all the steps from collection to destruction of personal data, applying the privacy by-design and by-default principles and the data protection by-design and by-default principles, evaluating all the risks from the point-of-view of the data subject not of the company. What rights are at risk? What freedoms from the European Convention of Human Rights are at risk? Yes, every right and freedom should be analysed.

The AI boom is making things worse.

Everybody nowadays dream of AI. LLMs, Gen AI, autonomous driving, automation of tasks, facial analysis, employee surveillance - just a few areas where AI is omnipresent. Every AI implementation should go through a thorough AI to avoid bias and discrimination at least, not to talk about other infringements on the freedoms of people. Moreover, AI Act will mandate every company to perform a risk analysis of their AI implementations, whether they are in-house produced, third-party produced or simply purchased.

Take DPIAs seriously. DPOs should be consulted related to the methodology, accuracy and quality of the DPIA. DPOs are the ones signing off the DPIAs.

If you need guidance or help, just contact us. We do thorough risk analysis while having in mind that the company still need to grow and perform. We find solutions, not reasons to fail.