What is a Data Protection Impact Assessment and when is it necessary?

It is not uncommon for privacy risks to arise in projects involving the use of personal data, but it is fundamental to identify and manage these risks before they materialise and cause harm to individuals. A Data Protection Impact Assessment, or a DPIA, is a document to help an organisation to systematically analyse the processing, identify and address the risks and potential impact of such operations on the rights and freedoms of individuals. Article 35 of the UK General Data Protection Regulation (UK GDPR) sets out the requirement to carry out a DPIA. However, in some cases, beyond the requirements of the law, a DPIA can be used as a best practice tool.

In this article, we will look at when a DPIA is required, examining some practical steps in determining what constitutes ‘high risk’ processing. Then, we will explore how to complete a DPIA efficiently and how it can be used as a best practice tool to demonstrate accountability and increase awareness of privacy and data protection issues within an organisation.

When is a DPIA required?

Article 35 of the UK GDPR mandates that the organisation acting as a data controller carries out a DPIA for processing which is likely to result in high risk to the rights and freedoms of individuals. This obligation brings together the accountability principle under the UK GDPR and the concept of Privacy by Design as it allows a data controller to address and integrate principles of data protection at the design stage, demonstrating steps taken by the data controller to ensure accountability to protect people’s privacy and rights.

In determining whether Article 35 applies to an envisaged activity, the organisation needs to identify what is high risk processing. Article 35 sets out three examples where processing may qualify as high risk and trigger the need for a DPIA.

  1. Systematic and extensive evaluation of individuals, based on automated processing, used to make decisions that produce legal affects or similar affects. For example, use of targeted advertising tool that profiles individuals and uses those profiles to adapt advertisement.
  2. Large scale processing of special category or criminal offence data. For example, a large-scale processing may refer to significant number of data subjects, large volume of personal data collected or the extended length of time of processing and storage.
  3. Systematic monitoring of a publicly accessible area on a large scale. For example, a retail shop might place a CCTV camera to monitor individuals coming in and out of the store.

However, based on European Data Protection Board (EDPB) and Information Commissioner’s Office guidance these are not the only examples of high-risk processing.

In addition to these, a data controller may need to carry out a DPIA where the envisaged processing operation involves the use of new technologies, method or systems (i.e. technology using artificial intelligence), where there is linkage of multiple large datasets from different sources or where the processing involves data collected from vulnerable individuals such as children or elderly.

Is DPIA a best practice tool?

Whilst Article 35 of the UK GDPR sets out an obligation to carry out a DPIA where there is high risk processing, organisations can choose to use a DPIA as a best practice tool to ensure they meet their accountability obligations and comply with all aspects of data protection law and principles.

The coherent use of DPIAs can increase an organisations’ awareness of privacy and data protection issues even where high risk is not spotted at first glance. Doing a comprehensive analysis of an envisaged processing will help an organisation identify and fix issues before they aggravate. Mitigating issues at early stages before any processing takes place will be less costly to the organisation, simply because it is easier to adjust when the project is still at design stage.

Additionally, Article 24 of the UK GDPR sets out that it is the data controllers’ responsibility to ensure any processing is performed in compliance with the UK GDPR, taking into account nature, scope, context, purpose and risks of a project. This obligation does not distinguish between high risk or low risk processing hence, even without a requirement of a DPIA, data controllers are always obliged to analyse their envisaged processing. Therefore, albeit not necessary, a DPIA is a helpful structured tool to consider measures to implement to protect the rights and freedoms of individuals and comply with the UK GDPR.

How to complete a comprehensive DPIA efficiently?

An organisation must have a clear and transparent DPIA guidance in place which is embedded in internal policies. This guidance should not only be available to the privacy teams but to staff at different business lines because, more of than not, privacy teams require information from other teams to complete the DPIA. Therefore, it is important that there is an enhanced training and guidance provided to staff in roles where they may need to collaborate with data protection professionals to complete DPIAs. This would help reduce the time required to finalise a comprehensive DPIA. By establishing a strong organisational understanding of how DPIAs need to be completed, an organisation can ensure that the outcome of the assessment is meaningful and sheds light on any data protection gaps.

Appropriate training and guidance are ever more important for start-ups or organisations with less experience in completing DPIAs. To this end, seeking external support from professionals may help you get a head start to data protection compliance.

Want to know more?

This article was aimed at familiarising you with when a DPIA is required, its purpose and broad measures you can take to complete one efficiently. If you have any questions or want expert support in helping you complete a data protection impact assessment, check out our services or send us an enquiry at info@informationgovernanceservices.com.

Share:

More Posts

Send Us A Message