DPIAs have been a topic in the news recently with the ICO requesting that NHSX complete a DPIA for its COVID-19 contact tracing app for the regulators consideration. The ICO recommends that you embed the DPIA process into your data protection regime to ensure that privacy risks are being actively considered in your organisation. This note sets out why DPIAs are an important tool to help manage data protection risk and provides guidance on when and how the process should be completed.
What is a DPIA?
The concept of a privacy impact assessment (‘PIA’) existed under the Data Protection Act 1998, but when GDPR came into force the completion of a DPIA became a legal requirement in certain circumstances. A DPIA is a process which helps your organisation to identify and minimise the data protection risks associated with a project which requires the processing of personal data. The assessment takes into account the nature, scope, context and purposes of the processing activity and it’s recommended that organisations complete this exercise in the early stages of a project to proactively address any data protection issues sooner rather than later. A DPIA should be completed in writing and recorded for accountability purposes.
When is a DPIA required?
Under the General Data Protection Regulation (GDPR) a data controller is required to carry out a DPIA when the anticipated processing of personal data is likely to result in a high risk to an individual’s rights and freedoms.
The GDPR provides that a DPIA should be complete where a project includes:
- Automated decision-making, including profiling, that could significantly affect data subjects;
- Large-scale processing of special categories of data (relating to race or ethnicity, political opinions, health, sexuality, etc.), or personal data relating to criminal convictions and offences; and
- Systematic large-scale monitoring of public areas.
The summary above is quite broad and not entirely helpful in determining whether a DPIA should be carried out. The ICO has provided more indepth guidance on when it would expect a DPIA to be carried out. Practical examples of projects requiring a DPIA include, introducing new software into your tech suite which will process special category data i.e. a new HR system, using machine learning to make decisions about individuals, i.e. to screen candidates for jobs, monitoring employee workstation activity, moving to a cloud based data storage method, or, to use a topical example, introducing thermal imaging or workplace testing to help combat the spread of COVID-19.
If you’re unsure whether a DPIA is required, you should always consult your DPO for advice. If you decide not to carry out a DPIA, you must document the reason for your decision.
What information should be documented in a DPIA?
DPIAs come in many different styles and it helps to take a simple, structured approach to this process. The key steps to include in your DPIA are as follows:
- Step 1 – Write a clear description of the way the data will be used;
- Step 2 – Detail any consultation undertaken with key stakeholders, data subjects or their representatives. Is there anyone else you should talk to?;
- Step 3 – Document the necessity and proportionality of processing and describe the measures you have/will put in place to demonstrate compliance with data protection principles and to deal with data subject requests;
- Step 4 – Document privacy risks which could affect data subjects. Consider whether you need to use all the data? Could you achieve the purpose in a less risky way?;
- Step 5 - Evaluate each risk. Set out any mitigating controls you have or will put in place to help reduce the risk;
- Step 6 – The project sponsor and DPO should sign off on the DPIA agreeing any actions to be taken during the project to reduce data protection risks.
- Step 7 – Confirm date of DPIA review. The DPIA should run along side the project and be reviewed from time to time to ensure any actions are complete.
Note that a DPIA doesn’t need to confirm that all risks have been eliminated. In many cases, this will not be possible. The DPIA documents the risks accepted under the project and the details of how risk will be managed or reduced. In circumstances where significant risks identified within a DPIA can’t be treated, it may be necessary to refer the matter to the ICO for consideration.
When to refer a DPIA to the ICO
Organisations must consult the Information Commissioner’s Office (ICO) if their DPIA identifies a high risk and the organisation cannot take measures to reduce that risk. In these circumstances, organisations cannot begin the processing until they have consulted the ICO. It can take the ICO a long time to review DPIAs, which could delay your project. This is another good reason to begin your DPIA process at the start of a project to account for any possible delay.
Benefits of completing a DPIA
Completing a DPIA at the start of a project makes good business sense. It means you build privacy into the process from the start or your project and don’t need to revisit this and make costly adjustments to the system or process you have designed at a later stage in development. DPIAs help organisations to demonstrate accountability with data protection law and show that privacy is at the heart of its operations. This can help build trust with your customers, clients and employees which in turn brings commercial and reputational benefits.
Additional useful information on Data Protection Impact Assessments can be found at www.ico.org.uk. If carrying out a DPIA please consult your Data Protection Officer, who will be able to assist in completing the necessary paperwork.
Insight from Morgan O'Neill, Director Data Protection Services at Thorntons. For more information contact Morgan on 03330 430350 or email moneill@thorntons-law.co.uk
