What is a DPIA and what must you do when you need one?
Following the implementation of the General Data Protection Regulation eleven weeks ago, the Information Commissioner’s Office have published a suite of guidance documents for all types of firms, helping to interpret the new rules and guide firms to apply the rules in practice. This is particularly helpful for firms experiencing some confusion about some of the more complex parts of the Regulation. The new guidance provides a helpful run-down of the process of undertaking a Data Protection Impact Assessment – required under Article 35 in certain circumstances – and which firms need to use to consider whether processing may result in a risk to individuals’ privacy.
DPIAs are risk assessments concerned with the use of personal data within an organisation. When undertaken correctly, they should assist firms to satisfactorily consider whether there is any risk to the individuals’ privacy, and whether the firm is meeting its obligations under the law.
A DPIA is required under the GDPR where processing is ‘likely to result in a high risk’ to individuals. Our article covers the definition of ‘high risk’ in more detail, but as a general rule, it’s a good idea to undertake one before any major processing operation. Whilst a DPIA is mandatory in all cases of likely high risk to privacy, it is also good practice to complete one for any major project which requires the processing of personal data; this can help to evidence data protection by design and to demonstrate compliance.
There are at least two stages to a DPIA, and the first must be used during the early stages of any new or envisaged project or whenever a current operation changes to ‘screen’ for the possibility that the operation involves some high risk to individuals.
A firm’s screening process must set out which circumstances require a DPIA. The ICO offer a screening checklist that can be used to aid firms in this stage. The checklist also sets out circumstances in which firms may wish to consider whether to complete a full DPIA.
When firms do undertake a full impact assessment, they must:
Describe the nature, scope, context and purposes of the processing – this includes stating how the data is collected, stored and used, who has access to the data, who the data is shared with, whether any processors are used, retention periods, security measures, whether new technologies or novel types of processing will be used, and which screening criteria were flagged as likely high risk.
In addition, they must:
Communicate with processors during the exercise, in order to be able to accurately document their processing activities and identify any associated risks;
Consult affected individuals or their representatives;
Seek advice of the Data Protection Office where one is employed;
Assess necessity, proportionality and compliance measures;
Undertake an objective assessment of the likelihood and severity of any risks to individuals’ rights and interests;
Identify any additional measures to mitigate those risks;
Record the process and decisions, including any difference of opinion with the DPO or individuals consulted;
If firms identify a high risk that cannot be mitigated, they must consult the ICO before the processing operation begins.
Controllers remain responsible for DPIAs; the task can be outsourced to an external consultant, but overall responsibility remains with the firm.
The Data Protection Officer (where employed by the firm), information security staff, any processors, and legal advisors or other experts where relevant, should be involved and consulted. The DPO can provide advice on whether to do a DPIA, how to do it, on mitigating risks, whether the DPIA has been done correctly, and whether the processing can go ahead, but the responsibility for the decision rests, again, with the Controller.
Firms should ensure that comprehensive documentation is kept throughout the process. This should include evidence that advice was sought from the DPO, where applicable DPO advice is given, copies of all communication with individuals and stakeholders, information gathering, and any evidence used to arrive at a decision, along with a clear and defined justification for that decision.
Outside of the process itself, staff who are involved in project planning should receive training to ensure they understand the need to consider a DPIA at the early stages of any plan involving personal data. In addition, staff who undertake DPIAs need to be fully trained on the process and on GDPR.
Finally, policies and procedures should be updated to include references to DPIA requirements. Firms also need to create a DPIA process, ideally including a Screening Checklist.
If you've found this article helpful and want to be kept informed of upcoming compliance news and regulation - sign up to Compliance Insights to ensure you receive email updates.