Data Protection Impact Assessment (DPIA)

This page furthers the understanding of GitLab Team Members on the purpose of Data Protection Impact Assessments and when they are required

GitLab is fully committed to protecting the personal data of its customers, employees, suppliers and other stakeholders in accordance with global comprehensive data privacy laws. We take the privacy of personal data very seriously and have initiated a variety of methods and controls to ensure we know what data we collect and hold and that we protect that data appropriately.

As part of this commitement, GitLab ensures that, where appropriate, projects and personal data processing activities are subject to Privacy Reviews and a Data Protection Impact Assessment (DPIA) as key components of a ‘Privacy by Design’ approach.

The Privacy by Design approach is based on the principles of the processing purpose limitation, data minimisation, fair and lawful processing, designing products and services that enable the user to exercise rights of access, deletion, restriction, portability, and data quality.

Privacy Reviews and DPIAs should be used to ensure that our obligations in this area are met.

What is a DPIA

A Data Privacy Impact Assessment (DPIA) is a way to systematically and comprehensively analyze processing and minimize data protection risks. DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or econimic disadvantage. The focus is on the potential for harm - to individuals or to society at large, whether it is physical, material or non-material. These types of risks may lead to discrimination, identity theft or fraud, financial loss, reputational damage and other significant economic or social disadvantages. Ultimately, a DPIA is required when the level of risk to the rights and freedoms of natural persons is deemed “high”.

To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals. A DPIA does not have to eradicate the risk altogether, but should help to minimize risks and assess whether or not remaining risks are justified. DPIAs are a legal requirement for data processing that is likely to be high risk. However, an effective DPIA can also bring broader compliance, financial and reputational benefits, helping to demonstrate accountability and building trust and engagement with individuals.

A DPIA can cover a single processing activity or a group of similar processing activities, and it is used throughout the development and implementation of a project to identify and fix problems early, saving time and monetary resources. The review of risks and any mitigation measures may be continuous, especially if anything changes to how or why a processing activity occurs.

When is a DPIA Required?

In determining whether a DPIA is legally required for a processing activity, GitLab considers the following high-risk criteria:

  1. Does the processing use automation, including profiling, to make decisions that produce legal effects or could significantly affect an individual?
  2. Does the processing involve sensitive data or data processed on a large scale?
  3. Does the processing involve monitoring public areas on a large scale?
  4. Does the processing match or combine data sets from separate processing operations?
  5. Does the processing contemplate an innovative use or apply new technological or organizational solutions?
  6. Does the processing in itself prevent data subjects from exercising a right or using a service?
  7. Does the processing collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’)
  8. Does the processing track individuals location or behavior?

How are DPIAs Conducted?

In the early stages of a project, when a new vendor/service provider is being considered, and at regular intervals during a project’s lifecycle or the user of a vendor or service, a Privacy Review occurs. This review runs alongside the planning and development process or the selection of new vendors and tech stack tools and at key renewal dates. The outcome of the Privacy Review informs whether a full DPIA is necessary. The Privacy Team conducts these reviews in collaboration with Security to ensure that risks are identified, assessed, and managed according to GitLab’s security risk management process. When a high level of risk is identified, the Privacy Team will collaborate with the relevant stakeholders to initiate and complete a DPIA. This typically will involve a Product Manager, business/technical owner, and the appropriate risk owner for the team.

GitLab Team Members can obtain additional details about DPIAs and how they are conducted, included specifics about the workflow process [here] (https://internal.gitlab.com/handbook/legal-and-corporate-affairs/legal-privacy/) (internal only)

Last modified April 1, 2024: Update file dpia to add link.md (bb31aa99)
View page source - Edit this page - please contribute. Creative Commons License