What is a Data Protection Impact Assessment (DPIA)?
When working on any project, before you implement something new or introduce a new way of working, there are steps you naturally take. You would create a plan, define your purpose and goals, consult the relevant people and consider any risks. For new projects or plans where personal data will be processed, the process is the same. Risk assessment is an essential part of project planning, and a Data Protection Impact Assessment is simply a risk assessment that looks specifically at data processing.
When should we complete a DPIA?
Think about the personal data you process in your organisation – what information do you collect and store about people? How does that currently work?
Now consider if that were to change. Maybe you’re changing how you collect your data in some way – you’ve always collected it via paper forms but now you’re moving to online, digital forms? Or you’ve always stored people’s data on spreadsheets saved in a shared drive, but you’re moving to a CRM system? If you’re implementing something new, whether that be a change to your current processes or an entire system, you should be completing some sort of risk assessment, and a DPIA is the most practical tool for the job.
What does the legislation say?
DPIAs are a legal requirement, and data protection legislation sets out when you should consider completing a DPIA, and when you absolutely must complete one. It also tells us the steps you need to take during the assessment. The UK GDPR gives us guidance, we can also look at EU Guidelines, and the ICO gives advice too, but in short you must do a DPIA before you begin any type of processing that is “likely to result in a high risk”.
How do we know what “high risk” means?
The UK GDPR states you must complete a DPIA if you plan to:
- use systematic and extensive profiling with significant effects;
- process special category or criminal offence data on a large scale; or
- systematically monitor publicly accessible places on a large scale.
In addition, it mentions “high risk processing”.
We can also use EU Guidelines to help us to break down what “high risk” processing means. If you’re taking part in 2 or more of the below, a DPIA is mandatory in the EU:
- Evaluation or scoring, including profiling and predicting
- Automated-decision making with legal or similar significant effect
- Systematic monitoring: processing used to observe, monitor or control data subjects
- Processing sensitive data or data of a highly personal nature
- Data processed on a large scale
- Matching or combining datasets
- Processing data concerning vulnerable data subjects
- Innovative use or applying new technological or organisational solutions
- When the processing in itself “prevents data subjects from exercising a right or using a service or a contract”
And the ICO tells us that a DPIA is mandatory in the UK when you’re taking part in:
- Innovative technology + one of the EU criteria
- Denial of service + automated processing OR use of special category data
- Large scale profiling
- Biometrics + one of the EU criteria
- Genetic data + one of the EU criteria
- Data matching
- Invisible processing + one of the EU criteria
- Tracking location + one of the EU criteria
- Data about children
- Risk of physical harm
So in short, what’s our advice?
The UK GDPR expects organisations to anticipate and plan for risks before an incident happens, and the principle of data protection by design and by default tells us to design systems and processes in a way which will mitigate those risks – a DPIA is the most effective way to do this. So our advice? Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any new project involving the use of personal data.
Completing DPIAs can be tricky, so Hope & May is here to help! If you’re not sure when to complete a DPIA, or need support with the assessment itself, get in touch with us: info@hope-may.com
