What are DPIAs and when are they required under GDPR?
Many firms and organisations will be familiar with the concept of a Data Protection Impact Assessment (DPIA) – they have been recommended by the Information Commissioner’s Office (ICO) for a number of years. But with the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018, DPIAs will no longer be just best practice, they will be mandatory in certain circumstances. So what are they, and when do firms need to undertake them?
In short, DPIAs are risk assessments concerned with the use of personal data within an organisation; they are designed to assist firms to consider whether data is secure, whether there is or could be any risk to individuals’ privacy, and whether firms are meeting their obligations. Whilst they’ve been extolled as best practice for many years, organisations typically aren’t always clear on when, or how, to undertake them. The GDPR provides an opportunity for firms to create a policy and process. It’s also worth bearing in mind that firms who fail to carry out a DPIA could be fined up to €10 million, or 2% of annual global turnover, whichever is higher.
The good news is that the Article 29 Working Party have produced guidelines which help to clarify the Regulation. They confirm that a DPIA is not mandatory for every processing operation, but is only required when the processing is ‘likely to result in a high risk to the rights and freedoms of natural persons’. In other words, they won’t be required for every operation which may result in risks to the rights and freedoms of individuals; the key word here is ‘high’. Article 35(3) of the GDPR sets out some examples of high risk processing:
A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
A systematic monitoring of a publicly accessible area on a large scale.
A reminder that special categories of data are any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
While the examples of high risk processing are useful, the list is not exhaustive, and where there is any confusion as to whether a DPIA might be required, it should be carried out nonetheless. The Working Party build on the examples with a more concrete list:
Evaluation or scoring, including profiling and predicting, especially from ‘aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements;
Automated decision making with legal or similar significant effect;
Systematic monitoring – any processing used to observe, monitor or control data subjects, this type of monitoring is a criterion because the data may be collected in circumstances where the data subjects may not be aware of who is collecting their data and how it will be used;
Data processed on a large scale;
Datasets that have been matched or combined – for example originating from two different controllers;
Data concerning vulnerable data subjects – for example, employees would meet serious difficulties in opposing the processing performed by their employer and children cannot be considered to be able to knowingly oppose or consent to the processing of their data. Other individuals likely to be considered in this category include those with mental health difficulties, asylum seekers, the elderly, a patient, or any other case where there maybe an imbalance in the relationship between the data subject and the controller;
Innovative use of or applying technological or organisational solutions – e.g finger print and face recognition for access control, or any other use of a new technology;
Data transfer across borders outside the European Union;
When the processing in itself prevents data subjects from exercising a right or using a service or a contract.
The Working Party suggests that the more criteria that are met, the more likely the processing is to present a high risk to data subjects, and therefore requires a DPIA. Where the controller believes that a DPIA is not required, the reasons should be thoroughly documented.
A DPIA would most likely not be required where the processing is not likely to result in a high risk to the rights and freedoms of natural persons; when the nature, scope, context and purposes of the processing are very similar to those for which a DPIA have been carried out previously; where a processing operation has a legal basis in law and where a DPIA has already been carried out as part of the establishment of that legal basis; where the processing is included on the optional list of processing operations, as set out by the ICO.
DPIAs should be carried out prior to the processing, and ideally as early as possible in the design of the operation, bearing in mind the obligation for privacy by design. DPIAs should be updated where any new issues arise as part of the project. The obligation rests on the controller to ensure it I carried out. It may be done by someone else within or outside of the organisation, but the controller is responsible. The controller must also seek the advice of the DPO, this advice and decisions taken should be documented within the DPIA.
To learn more, why not sign up for our GDPR All Stars Education Series?