A new principle introduced by the GDPR is that of accountability. This requires data controllers to be able demonstrate their compliance and there are a number of ways that they can do this. Data Protection Impact Assessments (DPIAs) are one tool that under the GDPR must be used by organisations to identify and minimise the potential data protection risks of any new projects to be undertaken which involve the processing of personal data.
Also key to GDPR is that organisations take a “data protection by default and design” approach to any activities involving data processing. DPIAs again help to achieve this by identifying and enabling organisations to resolve any problems at an early stage.
Article 35 (1) of the GPDR sets out the situations in which a DPIA must be used. This includes:
“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.”
So – when exactly does the above apply? Organisations must complete a DPIA when they are undertaking any processing likely to result in a high risk to individuals’ interests. This in particular includes:
- a “systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person” (art. 35(3)(a));
- “processing on a large scale of special categories of data [referred to in Article 9(1)], or of personal data relating to criminal convictions and offences [referred to in Article 10]” (art. 35(3)(b)); or
- “a systematic monitoring of a publicly accessible area on a large scale.” (art. 35(3)(c)) .
What kind of risk do organisations need to consider?
The type of risks to individuals that must be considered are not defined by the GDPR. However, Recital 75 of the GDPR links risk to any potential harm or damage to individuals including material or non-material damage – taking into account not only actual damage but also potential intangible harm such as significant economic or social disadvantage.
What does high risk mean?
When assessing whether the processing may result in a high risk, organisations must consider the potential likelihood and severity of the potential harm. The key question that organisations should be asking as a first step is whether the processing is of a type likely to result in a high risk.
Examples of when a DPIA will automatically be required
The GDPR states that as well as the 3 situations set out in Article 35 of the GDPR, the supervisory authority must establish and publish a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment. The ICO has done so and sets out ten types of processing which automatically require a DPIA in the UK:
- New technologies: processing involving the use of new technologies, or the novel application of existing technologies (including AI).
- Denial of service: Decisions about an individual’s access to a product, service, opportunity or benefit which is based to any extent on automated decision-making (including profiling) or involves the processing of special category data.
- Large-scale profiling: any profiling of individuals on a large scale.
- Biometrics: any processing of biometric data.
- Genetic data: any processing of genetic data, other than that processed by an individual GP or health professional for the provision of health care direct to the data subject.
- Data matching: combining, comparing or matching personal data obtained from multiple sources.
- Invisible processing: processing of personal data that has not been obtained direct from the data subject in circumstances where the controller considers that compliance with Article 14 would prove impossible or involve disproportionate effort.
- Tracking: processing which involves tracking an individual’s geolocation or behaviour, including but not limited to the online environment.
- Targeting of children or other vulnerable individuals: The use of the personal data of children or other vulnerable individuals for marketing purposes, profiling or other automated decision-making, or if you intend to offer online services directly to children.
- Risk of physical harm: Where the processing is of such a nature that a personal data breach could jeopardise the physical health or safety of individuals.
If an organisation plans on doing anything that may be considered likely to result in a high risk to data subjects under the GDPR, they therefore need to have in place an appropriate DPIA process and ensure that the relevant employees are adequately trained to (i) recognise the situations where a DPIA should be performed and (ii) understand how to undertake the DPIA.
If the various activities of an organisation, are likely to result in frequent DPIAs, it may be appropriate for the organisation to establish a bespoke DPIA procedure, addressing its specific needs. Note however that a DPIA may not be required for every single processing activity as a DPIA can cover a group of similar processing operations. In some situations, an organisation may be able to rely on an existing DPIA for a similar processing operation with similar risks so records of recent past DPIAs should be checked prior to commencing a new one.
Remember also that a DPIA is not only needed at the start of a new project but may also be required when changes are being made to an existing system, such as when there is a significant change to how or why personal data is collected, the amount of data collected or where new security technical measures are being introduced. This continuous assessment enables an organisation to manage risks on an ongoing basis.
Key steps in a DPIA process
The ICO have produced a sample DPIA template which can be used or adapted to suit your organisation’s needs, or you can choose to create your own, ensuring that it covers all the key steps set out above.
A decision not to perform a DPIA
Where an organisation chooses not to conduct a DPIA, it should document its decision and reasoning. Note that failure to carry out a DPIA in the situations which the GDPR state are mandatory, may result in organisations being subject to enforcement action, including a fine of up to €10 million, or 2% global annual turnover if higher.
There are a few exceptions to the requirement to undertake a DPIA and certain processing will not require a DPIA to be carried out. These include:
- If you are processing on the basis of a legal obligation or public task as long as:
- you have a clear statutory basis for the processing;
- the legal provision or a statutory code specifically provides for and regulates the processing operation in question;
- you are not subject to other obligations to complete DPIAs, such as mandatory minimum measures required by Cabinet Office for consideration of information governance risks or requirements derived from specific legislation, such as Digital Economy Act 2017; or
- a data protection risk assessment was carried out as part of the impact assessment when the legislation was adopted.
- If you have already done a substantially similar DPIA as long as the nature, scope, context and purposes of the processing are all similar.
- If your processing operation appears on the list of processing operations which do not require a DPIA, which list is to be produced by the ICO.
If after an organisation has performed a DPIA it has been assessed that there is a high risk which cannot be mitigated, the organisation must consult the ICO before any processing is commenced. They should be emailed, with a copy of the relevant DPIA. They will review it and aim to respond within 8-14 weeks. They may advise that:
- the risks are acceptable and you can go ahead with the processing;
- you need to take further measures to reduce the risks;
- you have not identified all risks and you need to review your DPIA;
- your DPIA is not compliant and you need to repeat it; or
- the processing would not comply with the GDPR and you should not proceed.
They may alternatively give an official warning not to proceed or imposing a limitation or ban on the processing in question.
The ICO have produced helpful detailed DPIA guidance which includes further information on each of the key steps involved in the DPIA process set out above, as well as other useful guidance. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/
Their guidance includes this list of practical examples of operations which would require a DPIA under the GDPR: