CNIL DPIA Template: List of Things to Include

Table of Contents

Although the members of the European Union (EU) are subject to the General Data Protection Regulation (GDPR) for data privacy, EU countries still retain their own GDPR interpretations to suit their specific needs better.

One example is the French Data Protection Act (FDPA).

In this article, we’ll explain the Data Protection Impact Assessment (DPIA) from the perspective of France and its law and give you a CNIL DPIA template with a list of things to include.

So, let’s begin.

Key Takeaways

Conducting a data privacy impact assessment (DPIA) is required by the GDPR and the French Data Protection Act (FDPA) when the processing can result in a significant risk of harm to the rights and freedoms of data subjects

The CNIL DPIA template serves to help businesses create their DPIAs more easily

The DPO is the person responsible for ensuring the DPIA is conducted and signs off on the DPIA

What is the French Data Protection Act?

France Data Protection Act A Comprehensive Guide.jpg

France Data Protection Act A Comprehensive Guide.jpg

The French Data Protection Act (FDPA) is a data privacy regulation that serves to interpret and amend the EU’s GDPR to better match the needs of individuals in France for data privacy and protection.

The Act pre-dates the GDPR, as it was initially passed in 1978. However, it was later amended heavily in 2018 to include modern digital technologies and GDPR’s data protection mechanisms.

This law applies to:

Data handlers located in France

Data handlers located outside of France but who are offering products and services to consumers in France

Data handlers located outside of France but who are monitoring individuals in France

Additionally, the Act provides certain data subject rights that the data handler must defer to:

Right to access the individual’s own personal data

Right to correct the person’s data

Right to erase personal data

Right to the restriction of data processing

Right to withdraw consent

Both the GDPR and the FDPA are overseen by the Commission nationale de l’informatique et des libertés (CNIL), which serves as the national data protection authority body in France.

What is a DPIA (And Do I Need One)?

What is a DPIA (And Do I Need One).jpg

What is a DPIA (And Do I Need One).jpg

The Data Protection Impact Assessment (DPIA) is a method of evaluating potential risks that collecting, storing, and processing personal data might have on the data subject and finding solutions to mitigate those risks.

As an important tool that helps businesses comply with the GDPR and other data privacy regulations, a DPIA includes several benefits, such as:

Identifying the risks involved in processing personally identifiable information (PII) for data subjects

Improving the reputation of the business and helping to build a better relationship with its customers

Reducing the risk of penalties for non-compliance for the organization

Article 35 of GDPR covers the DPIA in detail, including the designation of a data protection officer (DPO) and what the DPIA should include.

At a minimum, a DPIA must contain:

A description of the data processing activities, along with the purposes and legitimate interests of the data controller

An assessment of the necessity of data processing compared to the processing purpose

An assessment of the potential risks to data subjects’ rights and freedoms

Steps and measures the business plans to take to reduce those risks (safeguards, mechanisms, security, etc.)

When is a DPIA Required?

A DPIA is required any time that data processing done by an organization can potentially pose a “high risk” to the rights and freedoms of individuals.

According to both the GDPR (Article 35) and the French Data Privacy Act, a DPIA is required when the data handler is doing any of these “high-risk” activities:

Using new technologies to process personal data

Monitoring individuals in public spaces systematically

Profiling data subjects using personal data

Processing special categories of personal data

Merging data collected from different sources and via various processes

Collecting data belonging to incapacitated individuals

Limiting the rights of individuals when processing data

Transferring data to countries outside of the EU and/or EEA

Processing children’s data

Processing data on a large scale

CNIL DPIA Template

You can find a CNIL DPIA and download it in PDF here. It covers the most important steps to create a DPIA under GDPR and FDPA.

A DPIA template can be useful to different stakeholders involved in data processing in your organization, including:

Decision-makers

Data protection officers (DPO)

Contractors

Chief Information Security Officers (CISO)

Project owners, and others

You can download a free PDF of a CNIL DPIA template here on the authority’s website along with the guide on how to fill it out.

We’ll quickly cover the different sections of this template and what they mean.

Study of the Context

The first part of the DPIA template covers the context of the data processing in question. This part is divided into two sections.

Overview of the Processing

The Overview of the Processing includes an overall description of the processing, processing purposes, and stakes as well as who the data controller and data processor(s) are.

Additionally, the overview also covers any standards that are specific to your sector or industry you need to consider.

Data, Processes, and Supporting Assets

Next, what data types are you collecting and processing, who are the recipients, and how long will you store this data?

Also, you need to describe your processes and their supporting assets. CNIL recommends creating a diagram of data flows along with a detailed description of the processes.

Study of the Fundamental Principles

Assessment of the Controls Guaranteeing the Proportionality and Necessity of the Processing

In this section, you have to justify the proposed data processing, starting with its legitimacy.

The CNIL DPIA template includes several criteria for lawfulness. Go through them all and if they apply to your situation, and if they do, justify why.

For example, the lawfulness criteria could be that the data subject has given their consent to the processing of their personal data for one or more specific purposes. In this case, you would check the “Applicable” field as “yes” and in the “Justification” field explain that they have given their consent for data processing by allowing cookies on your website.

Next, you need to go through the data categories, whether they are relevant and needed, how you can minimize the data you will process, the justification of data quality, and the justification of storage duration.

Finally, assess your controls. Do you have a specific and legitimate purpose? Is the processing lawfully based? Is your data minimization adequate and is the data up-to-date and accurate?

Assessment of Controls Protecting Data Subjects’ Rights

The next section of the template goes through how well the business is protecting data subject rights.

Informing the data subject – How are you informing the data subject? Are there any exemptions? What are they?

Obtaining consent – How are you obtaining consent? Do you obtain it before or after registration and before or after sharing it with others? How are you handling children’s consent?

Access and data portability – Can the data subject access their data securely and easily? Can they download it and transfer it to another service?

Rectification and erasure – Can data be rectified or erased/deleted on the data subject’s request? How will you implement the right to be forgotten? What data can’t be erased (i.e. due to legal obligations)?

Restriction of processing and objecting – How can the data subjects object to data processing or restrict it? How do you handle cookies and tracking? Do you offer enough “Privacy” settings that users can control?

Processors – What is the processor’s name, purpose, scope, and contact reference?

Data transfer outside the EU – Will the data be transferred outside the EU? To which country? Does it have adequate data protection?

Finally, go through these controls one more time and see if they can be improved upon and how.

Study of Data Security Risks

What security controls are you using when processing data? Security controls include things like encryption and anonymization, but also physical access control, policy management, protection against human and non-human risk sources, and so on.

Go through each data security risk, whether it comes from things like cyberattacks and human error or natural causes (fire, water, earthquake), assess your controls, and see if you can improve on it.

Also, assess the probability of a potential data breach. What are the main risk sources, threats, and potential impacts? What is the potential severity of the data breach and its likelihood? Do you have any controls that will help you reduce those?

Validation of the PIA

Finally, assess the controls and how well they comply with the GDPR and its principles. You can use a simple assessment checklist and mark non-applicable, unsatisfactory, planned improvement, or acceptable.

Finally, have the DPO sign off on the PIA.

Steps to Carry Out a DPIA

Steps to Carry Out a DPIA.png

Steps to Carry Out a DPIA.png

Here are the steps to carry out a DPIA:

Identify the Need to Conduct a DPIA

A DPIA is required in certain situations regarding data processing, but not always. Consider what your new project involves and if the data processing that you will have to do as part of it can, in any way, present a high risk to the rights and freedoms of individuals whose data you will process.

“High-risk” activities can include:

New technologies (AI, smart technologies, IoT, autonomous vehicles, etc.)

Large-scale profiling (social media networks, fitness monitoring hardware and software, etc.)

Biometric and genetic data (facial recognition, voice recognition, DNA testing, medical research, etc.)

Data matching (direct marketing, identity assurance services, fraud prevention…)

Denial-of-service (mortgage, insurance, or credit checks)

Tracking (cookies, web tracking, browser profiling, online advertising…)

Invisible processing (direct marketing, data aggregation, publicly available data reuse…)

Targeting of at-risk individuals and groups, such as children for auto decision-making, profiling, or marketing

Consultation Phase

In this phase, and before going any deeper into the impact assessment, you need to consult with certain stakeholders, in particular:

Consult with data processors to better understand their data processing and handling methods

Talk with Data Protection Agencies for assistance and guidance

Discuss the best methods and tools to secure data before, during, and after processing with data security experts

Describe the Nature, Scope, Context, and Purpose

Any data processing should have a clear nature, scope, context, and, finally, purpose. Define all of these by asking the following questions:

The Nature of Data Processing:

How will the business collect data?

Where will data be stored?

How will data be stored?

How will it be used?

For how long will it be stored?

What are the data sources?

When and how will the business erase the data?

Will data be shared with any 3rd parties?

The Scope of Data Processing:

Does the data include any special categories of data?

How often will the business use this data?

How long will the company keep the data?

How much data will the business be collecting and using?

What area (city, state, country, etc.) will the processing cover?

How many individuals, on estimate, will be affected by this data processing?

The Context of Data Processing

How is the data collected? From customers or third parties?

Are the data subjects your users or customers, or do you have another type of relationship with them?

Can they reasonably expect that you will use the data for the specified purpose? For example, a weather app won’t need biometric data, but a fitness app will, and vice-versa, a weather app will require geographical and location data, but a fitness app will likely not.

Can and in what measure can individuals determine and control what data they can share and use their data subject rights?

Is this a novel type of data processing, and does it have known security flaws?

Does it involve children or other at-risk groups?

The Purpose of Data Processing

What does the business hope to get from this data processing?

What will be the benefits of processing for the business?

What will be the benefits for individuals?

Identify and Assess Potential Risks

Naturally, every project that requires data processing will incur certain risks. In this phase, you need to assess those risks and what harm could come out of them:

What is the risk potential? Remote (unlikely to happen), possible (it “might” happen), or probable (it’s likely to happen)?

If the harm occurs, what will its severity be? Minimal, moderate, or severe?

What is the overall risk? Low, medium, or high?

Identify Measures to Mitigate Risks

Now that you know and understand the risks, what measures can you use to mitigate them?

List all potential risks that you identified in the previous step

List options to reduce individual risks. The more options you have, the better, but, in general, you should have at least more than one option per risk

What positive effect on the specific risk will the option have? Will it reduce it or remove the risk? Bear in mind that you might have to accept certain risks as they are

What risks are you left with after implementing these measures?

Sign Off with a DPO

The next step is to approve and sign off the DPIA by the data protection officer (DPO). However, the work isn’t finished here, as the DPIA results and outcomes need to be observed and monitored regularly to ensure they align with the company’s vision and regulatory obligations.

Partner with Captain Compliance

Finally, make sure to partner with Captain Compliance and have our experts help you maintain compliance and find ways to improve data privacy and protection.

We provide outsourced compliance services and have a DPIA solution to ensure your risks are at a minimum.

Penalties for Non-Compliance with the France Data Protection Act?

The FDPA empowers the CNIL and its Restricted Committee to take action and impose fines on data controllers in case of non-compliance. These may or may not be preceded by a formal notice.

If the data controller or data processor is found in violation, the Restricted Committee can:

Issue a call to order

Issue an injunction to comply with the Act or the GDPR

Fine them up to €100,000 for every late day

Revoke or withdraw their certification

Prohibit data processing

Suspend a 3rd-party or international organization data flow

Suspend (partially or entirely) to the approval of BCRs (binding corporate rules)

On top of this, your business may also be subject to GDPR fines which can reach up to €20,000,000 in fines or 4% of your company’s global turnover. And if that isn’t enough, there is also a private right of action, meaning others can sue your company for even more money.

Closing

As an EU member, France adopted GDPR on 4th August 2018. However, the country has incorporated the GDPR provisions with its Data Privacy Act of 1978 (amended in 2018).

We hope this article and CNIL DPIA template can serve as a good starting point to conduct your own privacy impact assessment. If you think you may need help with DPIAs or compliance in general, Captain Compliance can help your business out.

Get in touch with Captain Compliance for more information on how we can affordably and effectively achieve compliance for your business.

FAQs

How do I draft a DPIA?

To draft a DPIA, you should follow these steps:

Identify the need for a data privacy impact assessment

Consult with data processors, data protection agencies (DPA), security experts, and other stakeholders

Describe the nature, context, and purpose of the processing

Identify and assess the risks

Identify the measures to reduce those risks

Sign off with a data protection officer (DPO)

Learn more about DPIA and its steps on Captain Compliance.

What is a DPIA template?

A DPIA template is a document form or guide that can help businesses conduct data privacy impact assessments more quickly and easily.

Here is the difference between DPIA vs PIA that you should know about.

What must be included in a DPIA?

At a minimum, a DPIA must include:

A description of the data processing activities, along with the purposes and legitimate interests of the data controller

An assessment of the necessity of data processing compared to the processing purpose

An assessment of the potential risks to data subjects’ rights and freedoms

Steps and measures the business plans to take to reduce those risks (safeguards, mechanisms, security, etc.)

Here is how to do a CPRA DPIA.

Does GDPR require DPIA?

Under Article 35, the General Data Protection Regulation (GDPR) requires a data privacy impact assessment (DPIA) when data processing can result in significant harm to the rights and freedoms of data subjects.

In particular, when:

Using new technologies to process personal data

Monitoring individuals in public spaces systematically

Profiling data subjects using personal data

Processing special categories of personal data

Merging data collected from different sources and via various processes

Collecting data belonging to incapacitated individuals

Limiting the rights of individuals when processing data

Transferring data to countries outside of the EU and/or EEA

Processing children’s data

Processing data on a large scale

Learn if other data privacy laws, like the Brazilian LGPD, require DPIA.

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.