What is a DPIA and when is one required?
A DPIA, or Data Protection Impact Assessment, is a mandatory process that assists organisations with identifying potential risks that come with data processing and how that may affect an individual’s freedoms and rights.
There must be a consideration of how those risks can be reduced or eliminated through the necessary measures. DPIAs have been mandatory in certain circumstances since 25th May 2018 which is when GDPR came into effect.
There have been some high-profile failures to comply with the GDPRs requirement to perform a Data Protection Impact Assessment, including one by the UK Government during its introduction of the “Test and Trace” scheme, which we will explore later in this article.
When must a Data Protection Impact Assessment be completed?
Article 35(1) of the GDPR legislation states that “You must do a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of individuals” [Source: UK Information Commissioner's Office DPIA Guidance Notes]
What does “high risk” mean?
In the context of Data Protection Impact Assessments, “high risk” means the likelihood of personal data held by an organisation being leaked or misused.
An example of a “high risk” processing operation that would require a DPIA would be decisions about an individual’s access to products or services. Such services would be credit checks or mortgage applications. This data is highly sensitive such as dates of birth, proofs of ID and financial history. If any of these were compromised, it could cause serious damage. Without a DPIA, the data processed by these organisations could be compromised, potentially affecting an individual’s rights.
The ICO and European commission have each provided some more examples of processing activities which are likely to result in a high risk”:
What factors might indicate “Likely to result in high risk?”
There are certain circumstances when a DPIA must be completed and the Article 29 working party of EU data protection authorities (WP29) published guidelines with nine criteria. If your processing activity meets at least two of the criteria listed below you must complete a DPIA before the processing activity is implemented/designed:
- Evaluation or scoring.
- Automated decision-making with legal or similar significant effects.
- Systematic monitoring.
- Sensitive data or data of a highly personal nature.
- Data processed on a large scale.
- Matching or combining datasets.
- Data concerning vulnerable data subjects.
- Innovative use or applying new technological or organisational solutions.
- Preventing data subjects from exercising a right or using a service or contract
In addition to the criteria set out above, the Information Commissioner’s Office (“ICO”), requires you to carry out a DPIA if you intend to:
- use innovative technology
- use profiling or special category personal data to decide on access to services
- profile individuals on a large scale
- process biometric data
- process genetic data
- match data or combine datasets from different sources
- collect personal data from a source other than the individual data subject without providing the individual with a privacy notice
- track individuals’ location or behaviour
- profile children or target marketing or online services to them
- process data that may endanger an individual data subject’s physical health or safety in the event of a security breach
In some cases, even if you can only identify one high risk factor from this list it may still be necessary to do a DPIA and it is good practice to do so. However in most situations a combination of two factors will be a clear indicator of the need for a DPIA.If you are confident that you can justify a decision not to carry out a DPIA, the reasons should be clearly documented.
What types of processing automatically requires a DPIA?
Article 35(3) sets out three types of processing which always require a DPIA:
- Systematic and extensive profiling with significant effects:
“(a) any systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.”
- Large scale use of sensitive data:
“(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10.”
- Public monitoring:
“(c) a systematic monitoring of a publicly accessible area on a large scale.”
When is a DPIA not required?
Article 35(1) outlines that a DPIA is generally not required in the following cases:
- Where the processing is not “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)).
- When the nature, scope, context and purposes of the processing are very similar to the processing for which DPIAs have been carried out. In such cases, the results of a DPIA for similar processing can be used (Article 35(1)).
- Where a processing operation has a legal basis in EU or Member State law and has stated that an initial DPIA does not have to be carried out, where the law regulates the specific processing operation and where a DPIA, according to the standards of the GDPR, has already been carried out as part of the establishment of that legal basis (Article 35(10)).
- Where the processing is included on the optional list (established by the supervisory authority) of processing operations for which no DPIA is required (Article 35(5)).
High profile failures of DPIA
In 2020 the UK Government hit the headlines when the Open Rights Group threatened it with legal action over a failure to comply with data protection legislation during the planning and deployment of the COVID 19 NHS Test and Trace App. The UK Government later acknowledged that the DPIA had not been correctly conducted when Test and Trace was introduced. By the time it was highlighted that the DPIA had been missed, more than 150,000 people had had their personal information handled by the scheme including names, contact details and health status.
Jim Killock, the executive director at ORG said:
“Just because there’s a medical emergency, doesn’t mean that you just forget about basic data protection safeguards. What you end up with is hugely risky data practices, unknown risks, potential data leaks, abuse of information and destruction of trust in your programs from the public”
For more information and to read the Government’s response, click the following links:
High profile failures such as this highlight just how easy it is to fail to comply with the legislation, and reinforce why it’s so vitally important that your team either receive formal Data Protection Impact Assessment training or that you contact a specialist DPIA consultant such as ourselves who can work with you to review, evaluate and improve your DPIA compliance.
Who should conduct the DPIA?
According to the ICO, you can determine who actually conducts the DPIA within your organisation, or even if you want to outsource it to a DPIA specialist. However, throughout the process you ultimately remain responsible for it and for ensuring your compliance.
In terms of stakeholders, the DPIA should be carried out by the Data Controller but it can be completed with other people. It should always be done in conjunction with the Data protection Officer (DPO). Depending on the size of your organisation, you may also need to involve other stakeholders such as information security staff (potentially your IT team if you don’t have a dedicated information security team) and your legal team.
Download a DPIA Template
The ICO has provided a free DPIA template which can be a useful starting point.
However, whilst templates are a useful tool DPIAs should ideally be tailored to your individual organisation as this offers the best way to ensure compliance. At Databasix, we can assist you with this as part of our service.
Alternatively if you prefer a more DIY approach, our GDPR Toolbox includes 15 useful tools to help Data Protection Officers, including DPIA assessment forms* which help you decide if a DPIA is required, and if so, how to identify, assess and document any risks.
(*Included within the “Data Rockstar’s Complete Collection” which includes all 15 tools)
Watch our free Data Protection Impact Assessment webinar
Need help with your Data Protection Impact Assessments?
At Databasix we can help with DPIA training or consultation and implementation to ensure it is conducted in compliance with the law.