DPIAs: 9 Steps towards a Green Light for your Data Processing Projects
Last week, news outlets flagged to the world that the Government admitted it broke data protection law in failing to undertake a Data Protection Impact Assessment (DPIA) prior to beginning development on the Contact Tracing App that it was developing for UK citizens. Despite repeated assurances along the way that privacy was on their agenda, they hadn’t completed this fundamental requirement of the Data Protection Act 2018 and GDPR.
But they’re not alone; many businesses don’t stop to consider whether or not they should complete a DPIA when introducing new systems or processes which involve personal data. Not only are they also breaking data protection law, but the risks to individuals as a result of privacy and security issues are likely to be much higher if they haven’t been thought through right at the start.
‘Where do I start?’ I hear you sigh. Fear not, dear Reader! We’ve collated the answers to a few of the most common DPIA questions we get asked to help you out.
What is a DPIA?
A DPIA is a process which helps you to identify all the potential risks or harms which may affect individuals rights and freedoms as a result of the data processing you plan to do. You can then consider if and how you can mitigate those risks or harms through technical or organisational measures.
When do you need to complete a DPIA?
You must complete a DPIA before you begin any processing which is likely to present a higher risk to individuals. You may not be sure at the start, but certain types of personal data and data processing are more likely to be accompanied by risk and potential harm.
This is where the Government fell foul of the law; they planned to process health-related personal data of UK citizens for the COVID-19 contact tracing app, which meant a DPIA should have been done at the start of the project. For businesses, introducing a new HR software package or accounting package would require a DPIA given the nature of the personal data that is likely to be processed.
The ICO added its own requirements to the core list of circumstances that the GDPR requires a DPIA to be done, including matching data or combining datasets, using innovative technology and profiling children or target marketing or online services at them.
Even if you don’t believe the data is likely to present a risk to individuals, it’s good practice to undertake a DPIA for any project that involves using personal data.
How do you complete a DPIA?
A DPIA should be started as early in the project as possible to give you the best chance of identifying and mitigating risks. Ensure you involve your Data Protection Officer or Lead and any other key stakeholders across your organisation. It should be part of the planning and development process, under constant review as the project progresses. There are key elements of a DPIA, which are outlined in the next question. Be objective – consider the processing from the viewpoint of the individuals whose data may be processed. Include them in the process if you can.
What are the key elements of the DPIA process?
The key elements of the DPIA process are:
- Identify the need for a DPIA
- Describe the processing
- Consider consultation
- Assess necessity and proportionality
- Identify and assess risks
- Identify measures to mitigate risk
- Sign off and record outcomes
- Integrate outcomes into plan
- Keep under review
In addition, you may wish to publish your DPIA to be transparent with your stakeholders. Individuals affected by the processing may ask to see it and it should be shared.
Can I get help with my DPIA?
Software providers should not complete the DPIA on your behalf – you may need information from them, but it’s your responsibility to consider all the risks to the personal data you are responsible for.
The ICO offer a sample DPIA which might be a helpful place to start. If it still feels tricky or difficult, the Databasix Team can work with you to complete a comprehensive and objective DPIA. Get in touch for more details.