A Data Protection Impact Assessment (DPIA) is a process you may need to undertake when starting or making changes to a project or process that involves collecting, storing or otherwise using personal data.
In conjunction with the practical side of the project planning process, you should concurrently assess what personal data you need to control or process. The goal is to ensure that your personal data processing is necessary and proportionate to the aims of the project and that risks to data subjects are reduced.
To carry out a DPIA adequately, we often tell clients to ‘play devil’s advocate’ and imagine they are going to be a customer of this new service or product. Working through the assessment with the potential impact of your own personal data in mind, can help you be more scrupulous in justifying what data is genuinely necessary.
Do I have to conduct a Data Protection Impact Assessment?
Conducting a DPIA is a legal requirement where processing is likely to result in high risk to the rights and freedoms of data subjects. Article 35 of GDPR provides three specific examples of high-risk processing where a DPIA will always be required. These are:
- activities involving a systematic and extensive evaluation of personal aspects based on automated processing, including profiling, and on which decisions are based that produce legal effects affecting data subjects.
- processing on a large scale of special category data or of personal data relating to criminal convictions and offences.
- systematic monitoring of a publicly accessible area on a large scale.
Regulatory authorities are required to publish a list of other situations where they consider a DPIA is mandatory. The ICO’s list is available here. The law firm Fieldfisher has created a helpful summary of the lists created by all the supervisory authorities across the EU and the UK which can be downloaded here.
If you don’t carry out a DPIA where you are required to, there is a risk of enforcement action under the GDPR / Data Protection Act. This could be a fine but could equally be another enforcement action. In truth, not carrying out a DPIA where required is likely to be an aggravating factor in a wider non-compliance scenario.
On the flip side, carrying out a DPIA can help demonstrate accountability and done properly, could help you during a compliance investigation. Besides, there are many benefits of carrying out a DPIA.
What are the benefits of a DPIA?
Carrying out a DPIA before you commence your project will help you comply with Article 25 of GDPR which covers data protection by design and default. This is the process of incorporating data protection principals at every stage of the development of a processing activity, process or product.
Adopting this level of good practice will bring economic benefits as it can identify and mitigate problems early in the process. Dealing with issues at the later stages usually requires back tracking and re-doing a lot of work which is time consuming and expensive. Ensuring you collect the minimum amount of data can also lead to simpler, streamlined processes which ultimately saves money.
How to conduct a Data Protection Impact Assessment?
First you must put your team together. The data controller has ultimate responsibility for carrying out a DPIA. If you employ a third-party data processor, you may need to include them in the DPIA process, and you will need to accommodate this in your contracts. It is possible to obligate your processor to carry out the DPIA but in this instance, as the controller, you are ultimately responsible.
Our advice to controllers would be to carry out your own DPIA’s. Besides, doing them in collaboration with your supplier helps to maintain a transparent relationship which is best for data protection and security all round.
If you have a designated Data Protection Officer (DPO), their advice on the DPIA process must be sought by law, and this must be documented as proof of compliance. If, at any time, you decide not to take the advice of the DPO you should document your reasons.
All stakeholders should be involved in the DPIA process which means, the department initiating the activity covered by the DPIA and other key stakeholders, which often include IT, the project team and third-party processors. You may also need to seek the advice of independent experts in information security, law, and potentially less obvious areas of expertise such at sociology and ethics.
If the project involves a current process, you may need to consult current data subjects through a questionnaire and if it’s for a new process you may need to carry out more general research of your target potential data subjects. Certain circumstances could mean that you don’t have to consult your customers, if for example you believe it would undermine commercial confidentiality, however you must document you reasoning.
The DPIA should include as a minimum, a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable:
- the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes; and
- an assessment of the risks to the rights and freedoms of data subjects and the measures envisaged to address the risks.
Necessity and proportionality are critical. You need to be able show that the requirement is in proportion to the potential risks to data subjects.
For example (and ignoring the lawful basis for processing for now), is the use of facial recognition technology in a pub to identify who should be served next both necessary and proportionate? In truth, probably not even if it seems a good idea and the technology is available.
There is no specific lay out for your DPIA but the ICO provide a sample template here and the French regulator, CNIL, have created a software tool that helps controllers through the process. The English version can be downloaded here.
Monitoring and reviewing your DPIA
Completing your DPIA is not just a box ticking exercise. You must ensure that you incorporate the outcomes of the assessment into your project plan. Not doing so is almost worse than not doing one at all as it would clearly demonstrate to your regulatory authority that you knew exactly what was required and specifically ignored it!
Likewise, a DPIA is a process and not a one-off exercise (which is a common misunderstanding). Signing it off doesn’t make everything okay forever. Keep it under review, because processing activities, risks, the law and guidance change constantly.
If you need help in identifying whether you need a DPIA or carrying out your DPIA, we can help.