A GDPR & Data Protection Advisory Note.
Published: 22/09/2020 Last updated: 22/09/2020
Terminology
| GDPR | General Data Protection Regulation |
| DPA | Data Protection Act 2018 |
| DPIA | Data Protection Impact Assessment |
| DBS | Disclosure and Barring Service |
| ICO | Information Commissioner’s Office |
| DPO | Data Protection Officer |
| EDPB | European Data Protection Board |
IN SUMMARY
A DPIA is a process to help you identify and minimise the data protection risks of a project.
You must do Data Protection Impact Assessments for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. It is also good practice to do a DPIA for any other major project which requires the processing of personal data.
Your Data Protection Impact Assessments must:
- describe the nature, scope, context and purposes of the processing
- assess necessity, proportionality and compliance measures
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks
To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
NB: If you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.
IN DETAIL
WHAT’S NEW UNDER THE GDPR?
The GDPR introduces a new obligation to do a DPIA before carrying out types of processing likely to result in high risk to individuals’ rights and freedoms. If your DPIA identifies a high risk you cannot mitigate, you must consult the ICO. This is a key part of the new focus on accountability and data protection by design.
DPIAs are now mandatory in some cases, and there are specific legal requirements for content and process.
You don’t need to send every DPIA to the ICO, but you must consult the ICO if your DPIA identifies a high risk and you cannot take measures to reduce that risk.
WHAT IS A DPIA?
A DPIA is a way for you to systematically and comprehensively analyse your processing and help you identify and minimise data protection risks.
DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – to individuals or to society at large, whether it is physical, material or non-material.
To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals.
A DPIA does not have to indicate that all risks have been eradicated. But it should help you document them and assess whether or not any remaining risks are justified.
DPIAs are a legal requirement for processing that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals.
A DPIA may cover a single processing operation or a group of similar processing operations. A group of controllers can do a joint DPIA.
HOW DO YOU CARRY OUT DATA PROTECTION IMPACT ASSESSMENTS?
There is currently no definitive DPIA procedure that must be followed. This means that you are free to use such methods as you choose. You must seek the advice of your DPO before carrying out a DPIA. You should also consult with relevant individuals and other stakeholders throughout this process.
A DPIA should begin early in the life of a project, before you start your processing, and run alongside the planning and development process. It should include these steps:
- Identify the need for a DPIA
- Describe the processing
- Consider consultation
- Access necessity & proportionality
- Identify & assess risk(s)
- Identify measures to mitigate risk(s)
- Sign off & record outcomes
- Integrate outcomes into plan
- Keep under review
WHAT KIND OF ‘RISK’ DO DATA PROTECTION IMPACT ASSESSMENTS ASSESS?
There is no explicit definition of ‘risk’ in the GDPR, but the various provisions on DPIAs make clear that this is about the risks to individuals’ interests. The GDPR says that a DPIA must consider “risks to the rights and freedoms of natural persons”. This includes risks to privacy and data protection rights, but also effects on other fundamental rights and interests.
The focus is therefore on any potential harm to individuals. However, the risk-based approach is not just about actual damage and should also look at the possibility for more intangible harm. It includes any “significant economic or social disadvantage”.
The impact on society as a whole may also be a relevant risk factor. For example, it may be a significant risk if your intended processing leads to a loss of public trust.
WHY ARE DATA PROTECTION IMPACT ASSESSMENTS IMPORTANT?
DPIAs are an essential part of your accountability obligations. Conducting a DPIA is a legal requirement for any type of processing, including certain specified types of processing that are likely to result in a high risk to the rights and freedoms of individuals. Under GDPR, failure to carry out a DPIA when required may leave you open to enforcement action, including a fine of up to €10 million, or 2% global annual turnover if higher.
By considering the risks related to your intended processing before you begin, you also support compliance with another general obligation under GDPR: data protection by design and default.
In general, consistent use of DPIAs increases the awareness of privacy and data protection issues within your organisation. It also ensures that all relevant staff involved in designing projects think about privacy at the early stages and adopt a ‘data protection by design’ approach.
A DPIA also brings broader compliance benefits, as it can be an effective way to assess and demonstrate your compliance with all data protection principles and obligations. An effective DPIA allows you to identify and fix problems at an early stage, bringing broader benefits for both individuals and your organisation.
It can reassure people that you are protecting their interests and have reduced any negative impact on them as much as you can. In some cases, the consultation process for a DPIA gives them a chance to have some say in the way their information is used. Conducting a DPIA can help you to build trust and engagement with the people using your services, and improve your understanding of their needs, concerns and expectations.
There can also be financial benefits. Identifying a problem early on generally means a simpler and less costly solution, as well as avoiding potential reputational damage later on. A DPIA can also reduce the ongoing costs of a project by minimising the amount of information you collect where possible and devising more straightforward processes for staff.
WHEN DO YOU NEED DATA PROTECTION IMPACT ASSESSMENTS?
You must do a DPIA before you begin any type of processing that is “likely to result in a high risk”. This means that although you have not yet assessed the actual level of risk, you need to screen for factors that point to the potential for a widespread or serious impact on individuals.
In particular, the GDPR says you must do a DPIA if you plan to:
- use systematic and extensive profiling with significant effects;
- process special category or criminal offence data on a large scale; or
- systematically monitor publicly accessible places on a large scale.
When considering if your processing is likely to result in high risk, you should consider the following criteria of processing operations likely to result in high risk. While the guidelines suggest that, in most cases, any processing operation involving two or more of these criteria requires a DPIA, you may consider in your case that just meeting one criterion could require a DPIA.
EXAMPLES OF PROCESSING LIKELY TO RESULT IN HIGH RISK
The following list details processing operations for which the ICO requires you to complete a DPIA as they are ‘likely to result in high risk’. It is based on guidelines adopted by the European Data Protection Board (EDPB) on DPIAs.
NB: This list does not affect your overriding obligation to assess any proposed processing operation against the requirement to complete DPIAs. The ICO also considers it best practice to do a DPIA, whether or not the processing is likely to result in a high risk.
| Type of processing operation(s) requiring a DPIA | Description | Examples |
| Innovative technology | Processing involving the use of new technologies, or the novel application of existing technologies (including AI). A DPIA is required for any intended processing operation(s) involving innovative use of technologies (or applying new technological and/or organisational solutions) | Artificial intelligence, machine learning and deep learning. Connected and autonomous vehicles. Intelligent transport systems. Smart technologies (including wearables). Market research involving neuro-measurement (i.e. emotional response analysis and brain activity). Some IoT applications, depending on the specific circumstances of the processing. |
| Denial of service | Decisions about an individual’s access to a product, service, opportunity or benefit which are based to any extent on automated decision-making (including profiling) or involves the processing of special- category data. | Credit checks. Mortgage or insurance applications. Other pre-check processes related to contracts (i.e. smartphones). |
| Large-scale profiling | Any profiling of individuals on a large scale. | Data processed by Smart Meters or IoT applications. Hardware/software offering fitness/lifestyle monitoring. Social-media networks. Application of AI to existing process. |
| Bio-metric data | Any processing of biometric data for the purpose of uniquely identifying an individual. A DPIA is required for any intended processing operation(s) involving biometric data for the purpose of uniquely identifying an individual. | Facial recognition systems. Workplace access systems/identity verification. Access control/identity verification for hardware/applications (including voice recognition/fingerprint/facial recognition). |
| Genetic data | Any processing of genetic data, other than that processed by an individual GP or health professional for the provision of health care direct to the data subject. A DPIA is required for any intended processing operation(s) involving genetic data. | Medical diagnosis DNA testing Medical research |
| Data matching | Combining, comparing or matching personal data obtained from multiple sources. | Fraud prevention. Direct marketing. Monitoring personal use/uptake of statutory services or benefits. Identity assurance services. |
| Invisible processing | Processing of personal data that has not been obtained direct from the data subject (in certain circumstances). | List brokering. Direct marketing. Online tracking by third parties. Online advertising. Data aggregation/data aggregation platforms. Re-use of publicly available data. |
| Tracking | Processing which involves tracking an individual’s geolocation or behaviour, including but not limited to the online environment. A DPIA is required for any intended processing operation involving geolocation data . | Social networks, software applications. Hardware/software offering fitness/lifestyle/health monitoring. IoT devices, applications and platforms. Online advertising. Web and cross-device tracking. Data aggregation / data aggregation platforms. Eye tracking. Data processing at the workplace. Data processing in the context of home and remote working. Processing location data of employees. Loyalty schemes. Tracing services (tele-matching, tele-appending). Wealth profiling – identification of high net-worth individuals for the purposes of direct marketing. |
| Targeting of children/other vulnerable individuals for marketing, profiling for auto decision making or the offer of online services | The use of the personal data of children or other vulnerable individuals for marketing purposes, profiling or other automated decision-making, or if you intend to offer online services directly to children. | Connected toys. Social networks. |
| Risk of physical harm | Where the processing is of such a nature that a personal data breach could jeopardise the [physical] health or safety of individuals. | Whistleblowing/complaint procedures. Social care records. |
NB: Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.
CONCLUSION
The introduction of an obligation to carry out a DPIA in certain circumstances will be challenging for many organisations, and the first one is likely to be confusing and time-consuming for the individuals involved.
Access to a good DPO will be highly beneficial. Indeed, the EDPB has recommended that this is what should be done whenever a DPIA is contemplated.
DISCLAIMER
This note, which is based on various sources including the ICO, is for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such.
If your organisation is looking to comply with the requirements of the GDPR then take a look at how our CSaaS and DPaaS solutions can help.