Data Protection Impact Assessments

What is a DPIA?

A DPIA is a process which helps you to identify all the potential risks or harms which may affect individuals’ rights and freedoms as a result of the data processing you plan to do. You can then consider if and how you can mitigate those risks or harms through technical or organisational measures.

Article 35 of the GDPR states that a DPIA must contain the following:

• A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the [data] controller
• An assessment of the necessity and proportionality of the processing operations in relation to the purposes
• An assessment of the risks to the rights and freedoms of data subjects
• The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR

How do you complete a DPIA?

A DPIA should be started as early in the project as possible to give you the best chance of identifying and mitigating risks. Ensure you involve your Data Protection Officer or Lead and any other key stakeholders across your organisation. It should be part of the planning and development process, under constant review as the project progresses. There are key elements of a DPIA, which are outlined below. Be objective – consider the processing from the viewpoint of the individuals whose data may be processed. Include them in the process if you can. This should be more than a tick-box exercise, and, done correctly, will improve the likely success of your project.

When do you need to complete a DPIA?

There are certain circumstances when a DPIA must be completed. If your processing activity meets at least two of the criteria listed below you must complete a DPIA before the processing activity is implemented/designed:

1. Evaluation or scoring
2. Automated decision-making with legal or similarly significant effects
3. Systematic monitoring
4. Sensitive data or data of a highly personal nature
5. Data processed on a large scale
6. Matching or combining datasets
7. Data concerning vulnerable data subjects
8. Innovative use or the application of new technological or organisational solutions
9. Preventing data subjects from exercising a right or using a service or contract
10. Data transfers across borders outside the European Union

In addition to the criteria set out above, the Information Commissioner’s Office (“ICO”), requires you to carry out a DPIA if you intend to:

• use innovative technology
• use profiling or special category personal data to decide on access to services
• profile individuals on a large scale
• process biometric data
• process genetic data
• match data or combine datasets from different sources
• collect personal data from a source other than the individual data subject without providing the individual with a privacy notice
• track individuals’ location or behaviour
• profile children or target marketing or online services to them
• process data that may endanger an individual data subject’s physical health or safety in the event of a security breach

Even if you don’t believe the data is likely to present a risk to individuals, it’s good practice to undertake a DPIA for any project that involves using personal data.

Key elements of the DPIA process

1. Identify the need for a DPIA: Assess whether a DPIA is required using the criteria listed above.
2. Describe the processing: describe the personal data involved in the proposed project, consider:
   1. The nature of the processing, for example how the data processed will be collected, stored and used
   2. The scope of the processing, for example the volume and variety, how sensitive that data will be (e.g. health data, genetic data), the extent, frequency, and duration of the processing
   3. The context of the processing, looking at factors such as the source of the data, how are you connected to the individuals involved, how much control those individuals have over their personal data
   4. The purpose of the processing, considering your legitimate interests (if this is your lawful basis for processing), the intended outcome for the individual data subjects involved, and the expended benefits
3. Consider consultation: The ICO recommends that seeking and documenting the views of individuals or their representatives as part of a DPIA. Remember what you want may not be what your customers, employees, or other individuals want.
4. Assess necessity and proportionality: You must consider whether your planned collection, holding, and processing of personal data actually achieves the stated purpose and whether there are any reasonable alternatives.
5. Identify and assess risks: Risks should be both identified and assessed in terms of likelihood and severity.
6. Identify measures to mitigate risk: For each risk identified, depending upon its likelihood and severity, a solution or at least a means of mitigating it should be identified. It is important to consider whether anything highlighted by the DPIA requires you to consult with the ICO. If your DPIA identifies a high risk that cannot be solved, even if you plan to continue and accept that risk, you must consult the ICO, as required by the GDPR.
7. Sign off and record outcomes: The advice of the DPO on all aspects of your DPIA is essential, including their sign-off on the report.
8. Integrate outcomes into plan: Your DPIA should conclude with what essentially amounts to a plan of action that can be integrated with your project plan.
9. Keep under review!