DPIAs – The DPO Centre ‘how to’ guide

According to research published in the latest UK Data Protection Index report, Data Protection Impact Assessments, otherwise known as DPIAs, are the things that are consuming the most of DPOs’ time and attention. The survey, which is conducted at the end of each quarter, asked its panel of 486 DPOs what had consumed the most of their attention over the last 30 days. Whilst the proportion of respondents that chose matters relating to 2020’s Schrems II decision and Covid-19 both increased, it was those pesky DPIAs that came out on top.

With this in mind, we recap below the what, when and how of conducting DPIAs.

What is a DPIA?

As the name might suggest, a Data Protection Impact AssessmentA formal documented assessment which allows decision-makers to identify, manage and mitigate any data protection risks associated with a project. (or a Privacy Impact Assessment) is a method by which data controllersEntities (such as an organisation) which determine the purposes and means of the processing of personal data. can assess the data protection impacts (read, risks) associated with a certain personal dataInformation which relates to an identified or identifiable natural person. processing activity or project, and then try to mitigate these risks as best as possible.

Whilst they are used to identify any data protection or privacy related risks, there is a particular emphasis on considering those risks that pose a threat to the rights and freedoms of individuals, as opposed to being focused on the risks to an organisation.

When do you need to conduct a DPIA?

As per Article 35 of the GDPR, data controllers are required to conduct a DPIA if a processing activity is likely to result in a high risk to the rights and freedoms of data subjects. Paragraph 3 of Article 35 states that the following scenarios fit this criterion:

1. Systematic and extensive profiling with significant effects
2. Large scale use of sensitive data
3. Systematic monitoring of a publicly accessible area on a large scale

However, this list is not exhaustive and the Article 29 Working Party (WP29) (the body that has now been replaced by the European Data Protection Board) produced guidance with nine further criteria which may indicate that a DPIA is needed:

1. Evaluation or scoring
2. Automated decision-making with legal or similarly significant effect
3. Systematic monitoring
4. Sensitive data or data of a highly personal nature
5. Data processed on a large scale
6. Matching or combining datasets
7. Data concerning vulnerable data subjects
8. Innovative use or applying new technological or organisational solutions
9. Preventing data subjects from exercising a right or using a service or contract

In addition, the UK’s Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).) has provided a further list of ten criteria which it feels also may make a processing activity high risk. These include the use of innovative technology; invisible profiling; and the targeting of children or other vulnerable individuals. If a processing activity hits two or more of these 19 criteria, that is an indication that a DPIA should be carried out. There is therefore a lot of guidance around when a DPIA might be required, however in practice, we suggest conducting one at the start of any major project that involves personal data, such as when introducing a new HR platform or CRM, or migrating from physical to cloud-based servers.

Crucially, at this stage, a high risk need not be guaranteed but only likely. Therefore, if in doubt, it is best practice to conduct a DPIA to determine, either way, what the level of risk is.

When it comes to the timing of completing a DPIA, they should be completed before the processing begins and ideally at the outset of a project or processA series of actions or steps taken in order to achieve a particular end.. This enables all the risks associated with the processing to be identified and then mitigated prior to any individuals having their rights and freedoms put at risk. In addition, conducting DPIAs at this stage will help organisations to implement a ‘Data Protection by Design’ approach to their processing, by ensuring that data protection risks are considered at the design phase of any project.

It is also important to note that whilst the DPO should be involved with conducting and reviewing DPIAs, they should be completed in the first instance by the individuals with the appropriate expertise and working knowledge of the processing activity itself. Who this individual will be will vary, but it is key that someone heavily involved with the project/processing is involved in conducting the DPIA so that the risks identified accurately reflect reality.

How to conduct a DPIA

A good DPIA will help the controller identify and minimise the privacy and data protection risks presented by a processing activity, whilst also helping it to meet its broader accountability obligations. According to the ICO, a DPIA is a 7-step process:

Step 1 – Identify the need for a DPIA

• Is the processing likely to result in a high risk to the rights and freedoms of individuals?

Step 2 – Describe the nature, scope, context and purpose of the processing

• This requires an in depth explanation of what, how and why you are undertaking the processing activity or project

Step 3 – Consider whether you need to consult with individuals

• You should consult with the affected individuals about the proposed processing unless there is a good reason not to. Whatever you decide you should document, along with justifications.

Step 4 – Assess the necessityThe purpose of the personal data processing activity must not be able to be achieved by a less intrusive method. and proportionalityA balance must be struck between the means used and the intended aim to ensure that a processing activity is proportionate. of the processing

• Consider how the processing helps to achieve your purpose and whether this is the least intrusive way of achieving said purpose

Step 5 – Identify and assess risks

• DPIAs should consider both the likelihood and the severity of any potential impacts on individuals. A “high risk” could result from either a high probability of “some harm” to a large number of individuals, or lower probability of “serious harm” to a few individuals.

Step 6 – Identify mitigations

• For every risk identified, consider how the level of risk could be reduced. This will vary in each circumstance but mitigation could include reducing the amount of data collected; introducing additional security measures; and altering retentionIn data protection terms, a defined period of time for which information assets are to be kept. periods.

Step 7 – Sign off and record outcomes

• All mitigations and outcomes should be documented and the level of residual risk assessed, after which, the DPIA can be signed off by those responsible. Where there is a high risk that is impossible to mitigate, controllers must consult with the ICO, who will determine whether the risks are acceptable and therefore whether the processing can go ahead.

Conclusion

Whilst DPIAs are often long, time-consuming documents to produce, something that the UK Data Protection Index panellists can attest to, they are also vital for ensuring that any high risk processing is properly considered and individuals are, as far as possible, safeguarded against any harm.

Aside from being a legal requirement in the instances that we have mentioned above, DPIAs are also beneficial for organisations in a number of other ways. For example, by helping organisations to comply with their Data Protection by Design obligations and the GDPR’s AccountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. principle. As such, DPIAs can be useful in a wide array of situations, whether prescribed by the law or not.

If you would like any further advice on conducting DPIAs, or any other Data Protection Services, contact us by completing the form below.