How to conduct a Data Protection Impact Assessment?

For professionals involved in risk assessment for data risks, they would be aware of the need to conduct a Data Protection Impact Assessment (DPIA) or a Privacy Impact Assessment (PIA) in the course of their work. Fundamentally, a DPIA is a risk-based approach which consider potential risks and controls to ensure compliance to the data protection laws, or in Singapore’s context, the Personal Data Protection Act (PDPA) 2012.

A DPIA typically covers process, system or project that involves handling of large number of records containing personal data, especially sensitive personal data. Some organisations base their DPIA on the threshold for Mandatory Data Breach Reporting Obligation under the PDPA, where it involves 500 records of personal data or sensitive personal data that may be of significantly lower number. Not all DPIAs are the same as the risks captured in the DPIA would vary based on the organisation’s risk prioritisation. Some stakeholders hold the view that there is no need for risk assessment if they must accept the risk out of business needs. However, the deliberated process on risk identification and mitigation and consultation with stakeholders on risk appetite are important as part of the organisation’s due diligence to prevent potential data breach.

As the Data Protection Officer (DPO) for an organisation would be working with various stakeholders in charge of various data-handling processes, the DPO may not be the individual tasked to complete the DPIA. Rather, the DPO would facilitate the risk assessment done by the project team or department involved, for objective and balanced assessment on the identified risks and practical controls. Not all stakeholders are well-versed with the PDPA or other data protection law equivalent, thus the DPO or the team supporting the DPO would be responsible to guide the stakeholders accordingly. However, some project teams may be experienced on data risks where they are confident to conduct the DPIA on their own before the DPO and senior management approve the DPIA.

As the process is not straight forward and at times, require deeper understanding on the intricacies on how the personal data would be processed by internal and external stakeholders, the project team conducting the DPIA needs to factor in time for discussion, fact-finding, revising workflow in the way how personal data would be handled due to risks involved and implementation of sustainable yet effective risk controls. The amount of time for discovery will lengthen if there are external parties using systems or Artificial Intelligence to process large volume of personal data, so that project team can take note of potential vulnerabilities involved that would lead to non-compliance to the PDPA or potential data breach. Considering Singapore would be implementing a new PDPA Obligation on Data Portability, organisations involved in developing new systems or technology handling personal data should consider this development to plan ahead. This brings value to the customers the organisation is servicing as well as to its Board and investors.

For the large corporations in financial sector, a DPIA or PIA is required to demonstrate accountability and as a form of data governance. For aspiring risk professionals, it is an important tool to engage stakeholders in comprehensive risk identification and reasonable risk mitigation. More resources are also available from the Personal Data Protection Commission (PDPC) website as well.

Author Bio

Yvonne Wong

AiSP

Yvonne is currently a Co-opted Committee Member, EXCO, in AiSP. She is volunteering in the Cyber Threat Intelligence Special Interest Group (SIG), and Data and Privacy SIG. Yvonne has been a practitioner, consultant and trainer for Governance, Risk and Compliance (GRC) since 2015.

Prior to GRC, she has been involved in branding, communications, intellectual property management and strategic planning work in private and public sectors. She is presently the Senior Manager in the Yishun Health Data Protection Office.