A data protection impact assessment (DPIA) is mandatory in certain circumstances under the UK General Data Protection Regulation (GDPR). It is also a tool that can be of great value to organisations by assisting them meet their data protection obligations in identifying the risks associated with data processing and, specifically, those posed to data subjects.
A DPIA delivers a pre-emptive approach to assessing these risks, and by applying corrective actions such as risk control measures, can help prevent a data breach occurring. Overall, the DPIA aims to either eliminate or mitigate (reduce) the risks. Even if not legally required, carrying out a ‘best practice’ DPIA can offer significant benefits.
There may be, however, instances where a risk has to be accepted (or the processing ceased) because the DPIA report indicates a high residual (remaining) risk, due to complete or effective mitigation measures not being available or practical. In such instances, the Information Commissioner’s Office (ICO) must be consulted prior to the processing activity taking place.
In this blog, we present a high-level outline of suggested steps in conducting a DPIA. Firstly, let’s identify when a DPIA needs to be conducted.
When is a DPIA required?
The UK GDPR identifies the key triggers for a DPIA, namely:
- The processing involves systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individuals or similarly significantly affect them
- Processing on a large scale of special categories of data
- Processing on a large scale of personal data relating to criminal convictions and offences
- Systematic monitoring of a publicly accessible area on a large scale (e.g., deploying CCTV in a public area)
- Where a processing operation is likely to result in a high risk to the rights and freedoms of an individual
- Processing involving the use of new technologies
- New processing activities not previously used by the organisation
- Processing considerable amounts of personal data at regional, national, or supranational level, which could affect many data subjects
- Processing activities which make it difficult for the data subject(s) to exercise their rights.
How do you conduct a DPIA?
To ensure a more structured assessment and comprehensive coverage, the DPIA is best performed in a sequence of steps. Below is a summary of what should happen at each step.
- Step 1. Initial Assessment - Not all processing activities will require a DPIA to be completed. It is, therefore, essential that you carry out a check against the types of processing outlined in the UK GDPR. A predefined list of screening questions (of the kind available from the ICO website) is often useful in ascertaining whether a DPIA is needed/advisable. Internal and external consultations involving stakeholders, employees, senior management and any associated third parties involved in the processing, or who can lend insight and feedback, are helpful at this stage.
- Step 2. Data Flows – Identifying where data is obtained and how it is processed, stored, and destroyed, is an essential part of a DPIA. At this stage, you may find it useful to consult your most recent record of processing activities (ROPA) or information audit, or any data flow maps which your business may have prepared. These will help identify, categorise and record all personal information obtained, stored, and shared by your organisation.
- Step 3. Identify the Risks and Privacy Issues - Responses obtained from answering the assessment questions and examining the data flows will help identify the privacy issues and associated risks. Risks will usually fall into one of 3 categories:
- Risks to Individuals - Any risk that affects a data subject, their data, their privacy or their rights is classed as a risk to an individual. Inadequate access/disclosure controls, consent issues, non-legitimate processing purposes and surveillance methods are just a few of the issues that may result in risks to individuals.
- Compliance Risks - These can arise where the assessment response indicates that a breach of laws and/or regulations will occur if the processing goes ahead. This can include non-compliance with the UK GDPR, Privacy and Electronic Communications Regulations (PECR) or human rights legislation.
- Corporate Risks - Risks that will affect your organisation, including reputational damage, revenue loss, fines, and sanctions. These will mainly arise where the initial collection, consent to processing, disclosure, sharing or storage of the personal information have not been compliant or where record keeping is ineffective.
- Step 4. Identify and Evaluate Privacy Solutions – An important reason for conducting DPIAs is to identify, develop and document corrective actions, solutions and mitigating controls that can reduce or eliminate any identified risks. Once all privacy issues and risks have been identified, you must then identify and evaluate solutions and mitigating actions. It may not be possible to eliminate all risks, but the aim should be to reduce them to an acceptable level.
- Step 5. Integrate Outcomes - The solutions and actions to reduce/remove the risks must be added back into the project plan so that the risks can be reassessed with the mitigating actions in place. Once all risks and privacy issues have been identified, and mitigating actions and solutions applied to reduce, eliminate, or accept the risks, the outcomes should be integrated into the project and an action plan created for developing and implementing the solutions.
- Step 6. Authorisation and Recording - All stages of the DPIA must be recorded, together with sign off from the data protection lead/data protection officer and the member of the executive board who owns the organisation’s privacy strategy. Results of the assessment may be used as a guide should a similar project or technology be considered by the organisation in the future.
URM’s data protection consultants have extensive experience of advising clients on DPIAs and will be pleased to assist you in undertaking your organisation’s first (or any subsequent) DPIA. Please complete the form on GDPR service page.