Ever heard of a DPIA?
Well, now you’ll be glad you have. Safety first and all that…
Hard hat? Check.
Protective goggles and outerwear? Check.
Elbow and knee-pads? Check.
V sensible. These might well keep you safe from the fallout during a serious data mishap, but what if there was something you could do to minimise it from happening in the first place? And, more importantly, proactively protect those whose data you’re safeguarding?
Well, there is.
And it’s called a Data Protection Impact Assessment (DPIA).
Data Protection Impact Assessment (DPIA)
You’ll know already that the GDPR requires companies to have appropriate technical and organisational measures in place to ensure that data protection is built into their processing activities and business practices.
In fact, it’s now a legal requirement to consider data protection and privacy issues upfront in everything you do to help ensure both compliance and accountability.
This is where a Data Protection Impact Assessment comes in.
Similar to a Privacy Impact Assessment (PIA), a DPIA is a process to help you identify and minimise the data protection risks surrounding your processing and is obligatory if your processing involves personal data or is likely to result in a high risk to individuals.
Take Facebook as an example... If a data controller happens to be an app developer and they decide to use Facebook as a means to authenticate login details, they really ought to have conducted a DPIA to understand the risks posed by using a third-party system – and whether that system can guarantee a high level of security.
(Interestingly, and of more concern, a survey by Crownpeak in July 2018 indicated that 98% of the top Apple and Android apps did not comply with GDPR! So, where companies are designing or outsourcing new systems or apps that use personal data, they should automatically consider the implications of GDPR and carry out a DPIA – regardless of whether the data is deemed high risk or not.)
In short, your DPIA helps you consider the following:
- the nature, scope, context and purposes of your processing;
- whether your processing is necessary, proportional and compliant;
- what risks there might be to individuals (e.g. to their rights and freedoms, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – to individuals or to society at large, whether it’s physical, material or non-material);
- the likelihood of those risks happening and the resultant level of severity; and
- what other measures you might need to take to mitigate those risks.
Then, once you’ve carried out your assessment, if it identifies a high risk that you cannot mitigate, the answer is simple: “DPIA SAYS NO.”
Should that happen, you must consult the ICO.
If the way you process data is well established and you’re not planning on introducing anything new that changes your processing, then you should have already weighed up the relevant risks and safeguards earlier this year (as part of good practice), before the GDPR came into force.
And, if you didn’t, then there’s no time like the present to review your processes to ensure that they comply with GDPR requirements!
Some useful ICO DPIA pointers to remember:
- Always consider a DPIA at the early stages of any plan involving personal data and/or new technologies (e.g. fingerprint or facial recognition software).
- Ensure that your existing policies, processes and procedures include references to DPIA requirements.
- Consult your data protection officer (if you have one) and/or relevant individuals and experts.
- A DPIA doesn’t need to completely eliminate the risks, as long as it minimises them and assesses whether the remaining risks are justified.
- Although DPIAs are a legal requirement for designated ‘high-risk’ processing, you can also use them to bring about other benefits. They demonstrate broader compliance and accountability and, subsequently, by building trust and engagement with customers/users, can lead to increased credibility, financial and reputational benefits.
- A DPIA may cover a single processing operation or a group of similar processing operations whereby a group of controllers can do a joint DPIA.
- It shouldn’t be a one-off exercise. Instead, regard it as an ongoing process and review it regularly so that you can embed DPIAs into your organisational processes and act on their findings.
Remember: A stitch in time…
There you are then – if you’re undertaking new data protection projects or introducing new systems and processes, DPIAs are the answer. As part of your ongoing good practice to data protection, they should complement all the other good work you’ve done around it.
Done properly, it means that you’ve understood the risks and have appropriate contingencies in place. Not only will they help prevent the proverbial from going anywhere near the fan, they’ll save you a load of time, money and stress if dealing with any clean-up operation further down the line.
So, cancel your subscription to Protective Gear magazine and the meeting with your builder, and use the space you’d designated for your Armageddon Data-Gone-AWOL Bunker for a relaxing TV & Coffee Room instead: somewhere you can sit back, draw up DPIAs and refine your data protection strategy till your heart’s content.
And, while you’re at it, you can give us a shout too to lend a hand and provide some peace of mind. We’ll also bring some biscuits.
Now, do you know anyone who could do with an armour-plated car, two pairs of steel-toe boots and some ear defenders? Just asking.
Until next time...