A new principle introduced by the GDPR is that of accountability. This requires data controllers to be able demonstrate their compliance and there are a number of ways that they can do this. Data Protection Impact Assessments (DPIAs) are one tool that under the GDPR must be used by organisations to identify and minimise the potential data protection risks of any new projects to be undertaken which involve the processing of personal data.
Also key to GDPR is that organisations take a “data protection by default and design” approach to any activities involving data processing. DPIAs again help to achieve this by identifying and enabling organisations to resolve any problems at an early stage.
Article 35 (1) of the GPDR sets out the situations in which a DPIA must be used. This includes:
“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.”
So – when exactly does the above apply? Organisations must complete a DPIA when they are undertaking any processing likely to result in a high risk to individuals’ interests. This in particular includes:
What kind of risk do organisations need to consider?
The type of risks to individuals that must be considered are not defined by the GDPR. However, Recital 75 of the GDPR links risk to any potential harm or damage to individuals including material or non-material damage – taking into account not only actual damage but also potential intangible harm such as significant economic or social disadvantage.
What does high risk mean?
When assessing whether the processing may result in a high risk, organisations must consider the potential likelihood and severity of the potential harm. The key question that organisations should be asking as a first step is whether the processing is of a type likely to result in a high risk.
Examples of when a DPIA will automatically be required
The GDPR states that as well as the 3 situations set out in Article 35 of the GDPR, the supervisory authority must establish and publish a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment. The ICO has done so and sets out ten types of processing which automatically require a DPIA in the UK:
If an organisation plans on doing anything that may be considered likely to result in a high risk to data subjects under the GDPR, they therefore need to have in place an appropriate DPIA process and ensure that the relevant employees are adequately trained to (i) recognise the situations where a DPIA should be performed and (ii) understand how to undertake the DPIA.
If the various activities of an organisation, are likely to result in frequent DPIAs, it may be appropriate for the organisation to establish a bespoke DPIA procedure, addressing its specific needs. Note however that a DPIA may not be required for every single processing activity as a DPIA can cover a group of similar processing operations. In some situations, an organisation may be able to rely on an existing DPIA for a similar processing operation with similar risks so records of recent past DPIAs should be checked prior to commencing a new one.
Remember also that a DPIA is not only needed at the start of a new project but may also be required when changes are being made to an existing system, such as when there is a significant change to how or why personal data is collected, the amount of data collected or where new security technical measures are being introduced. This continuous assessment enables an organisation to manage risks on an ongoing basis.
Key steps in a DPIA process
The ICO have produced a sample DPIA template which can be used or adapted to suit your organisation’s needs, or you can choose to create your own, ensuring that it covers all the key steps set out above.
A decision not to perform a DPIA
Where an organisation chooses not to conduct a DPIA, it should document its decision and reasoning. Note that failure to carry out a DPIA in the situations which the GDPR state are mandatory, may result in organisations being subject to enforcement action, including a fine of up to €10 million, or 2% global annual turnover if higher.
There are a few exceptions to the requirement to undertake a DPIA and certain processing will not require a DPIA to be carried out. These include:
ICO involvement
If after an organisation has performed a DPIA it has been assessed that there is a high risk which cannot be mitigated, the organisation must consult the ICO before any processing is commenced. They should be emailed, with a copy of the relevant DPIA. They will review it and aim to respond within 8-14 weeks. They may advise that:
They may alternatively give an official warning not to proceed or imposing a limitation or ban on the processing in question.
Further guidance
The ICO have produced helpful detailed DPIA guidance which includes further information on each of the key steps involved in the DPIA process set out above, as well as other useful guidance. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/
Their guidance includes this list of practical examples of operations which would require a DPIA under the GDPR: