It is not unusual to occasionally come across the opinion that Data Protection regulation stops organisations from using or sharing personal data or even getting on with their work.
We are happy to say this is not the case, and a Data Protection Impact Assessment (DPIA) is a practical way to ensure that you can securely, fairly and proportionately share personal data – and get on with the work!
What is a DPIA?
A DPIA is a risk assessment that focuses explicitly on Data Protection risks. It offers a systematic and comprehensive way to analyse your processing to help you identify and minimise data protection risks.
What are the Benefits of Conducting a DPIA?
Having a strong awareness of the risks associated with a project in your organisation can improve the process and communication within your team. DPIAs are a great way to increase this awareness. A range of benefits are associated with conducting a DPIA:
- Makes sure that users are not at risk of their data protection rights being violated
- Reduces data protection risks to your organisation
- Your organisation can incorporate data protection by design into new projects
- Reduces unnecessary data collection and processing which leads to reduced costs
- Increases your standing among the public by improving communication about data protection issues
- Ensures that your organisation complies with the GDPR standards.
The DPIA Process
When do we need to do a DPIA?
You have to conduct a DPIA before you start any type of processing that is “likely to result in a high risk”. In practice, this means that even though you have not yet assessed the actual level of risk, you must be conscious of the types of processing that may potentially have a widespread or serious impact on individuals.
The GDPR provides examples of when data processing may result in high risks. This could be when:
- “A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.”
- “Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10.”
- “A systematic monitoring of a publicly accessible area on a large scale.”
Some examples of when to consider a DPIA
- new or innovative technology is being used
- you plan to use profiling or special category data to decide on access to services
- you plan to profile individuals on a large scale
- processing biometric or genetic data
- matching data or combining datasets from multiple sources
- invisible processing (processing where providing a privacy notice may not be possible)
- tracking an individuals’ location or behaviour
- profiling children or targeting marketing or online services at them
- processing may endanger the individual’s physical health or safety
When is a DPIA not required?
You’ll generally find that a DPIA is not required in the following cases according to Article 35 of the GDPR.
- Where the processing is not “likely to result in a high risk to the rights and freedoms of natural persons” (article 35(1)).
- When the nature, scope, context and purposes of the processing are very similar to the processing for which DPIAs have been carried out. In such cases, results of a DPIA for similar processing can be used (Article 35(1)).
- Where a processing operation has a legal basis in EU or Member State law and has stated that an initial DPIA does not have to be carried out, where the law regulates the specific processing operation and where a DPIA, according to the standards of the GDPR, has already been carried out as part of the establishment of that legal basis (Article 35(10)).
- Where the processing is included on the optional list (established by the Supervisory Authority) of processing operations for which no DPIA is required (Article 35(5)). Such a list may contain processing activities that comply with the conditions specified by this authority, in particular through guidelines, specific decisions or authorisations, compliance rules, etc. In such cases, and subject to reassessment by the competent supervisory authority, a DPIA is not required, but only if the processing falls strictly within the scope of the relevant procedure mentioned in the list and continues to comply fully with the relevant requirements
So what is ‘processing’ exactly?
A question we’ve had a lot over the years is what exactly is ‘processing’? It’s a fair question, and frequently the comprehensive scope of the GDPR definition can be quite surprising to some:
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.Article 4 The General Data Protection Regulation: https://www.legislation.gov.uk/eur/2016/679/article/4 – Definitions
Who should you consult, and when?
You must consult the ICO if your DPIA identifies a high risk, and it is not possible to take measures to reduce that risk. You are not allowed to begin the processing activity until the full consultation has taken place. The ICO will provide a written response advising whether the risks are acceptable or whether you need to take further action.
Finally, talk to your DPO!
If you have a Data Protection Officer, it is essential that you seek their advice. Your organisation is potentially exposed to a great deal of risk by either not conducting a DPIA or conducting one inadequately. Investing time in producing a comprehensive DPIA will ensure your business activities are saved from any delays later on.
If you’d like to discuss this further, need help with a DPIA or Data Protection issues more broadly, we’d love to talk. Give us a call or get in touch through the form below, and we’ll get back to you as soon as possible.