The GDPR (General Data Protection Regulation) requires organisations to conduct a DPIA (data protection impact assessment) for data processing that is “likely to result in a high risk to the rights and freedoms of data subjects”.
Effectively a type of risk assessment, DPIAs assess how high-risk data processing activities could affect individuals (data subjects).
Failure to conduct a DPIA where required is a breach of the GDPR and could lead to administrative fines of up to 2% of your organisation’s annual global turnover or £17.5 million – whichever is greater – so it’s essential to get it right.
This DPIA checklist outlines the seven key elements of the DPIA process.
Step 1: Identify the need for a DPIA
You’ll need to conduct a DPIA for data processing that is “likely to result in a high risk”.
But the GDPR doesn’t define “likely to result in a high risk” – so what does it mean?
Although the goal of the DPIA itself is to identify “high risk” in detail, you’ll need to screen for any red flags that indicate that you need to do a DPIA.
As a starting point, Article 35(3) sets out three types of processing that always require a DPIA:
1. Systematic and extensive profiling with significant effects
Systematic processing includes management processes that are used to observe, monitor or control data subjects.
For example, organisations might monitor an employee’s browsing habits to ensure they aren’t using the Internet for illicit purposes.
Likewise, a retailer might use personal data collected about an individual to provide targeted ads.
Not every instance of systematic processing requires a DPIA. That’s because the processing must also be extensive (continual monitoring instead of occasional checks) and have significant effects (the data reveals something sensitive about the individual).
You can define ‘sensitive’ by assessing the damage – be it financial, reputational or emotional – that could be caused if an unauthorised party accessed the personal data.
2. Large-scale use of sensitive information
‘Large-scale’ refers to:
- A significant number of data subjects.
- A high volume of personal data; or
- Storing data for a substantial length of time.
Meanwhile, sensitive information refers to special categories of data or personal data relating to criminal convictions and offences.
3. Large-scale public monitoring
This includes any personal data processing that occurs in a publicly accessible space.
The most prominent example of this is CCTV, but organisations need to be increasingly concerned about the risks identified with dashcam footage and smart technology. Likewise, the development of ‘smart cities’ will see a surge in public monitoring subject to DPIAs.
In addition to these types of data processing, the ICO (Information Commissioner’s Office) states that organisations must conduct a DPIA when:
Implementing new technology
This includes processing that involves the innovative use of technologies or the application of modern technology to existing processes.
Examples of this include artificial intelligence and machine learning, self-driving cars and smart technology.
Using automated decision-making
Organisations often use automated decision-making to decide whether an individual should be given access to a product or service.
You will often need to conduct a DPIA if these decisions involve processing personal data, but it will be essential if sensitive data is used.
For example, credit checks and mortgage applications use financial data, which poses an especially high risk if compromised, so a DPIA is essential.
Conducting large-scale processing
According to the ICO, all large-scale data processing – not just activities involving sensitive information – should be subject to a DPIA.
Processing biometric or genetic data
Biometric data is usually used to authenticate that someone has appropriate access rights. Face and iris recognition and fingerprint scans are the most common examples.
Physical tests, like heartbeat monitoring and keystroke dynamics, are also considered biometric data.
Similarly, the collection of genetic data (other than that processed by an individual GP or health professional to provide healthcare directly to the data subject) is subject to a DPIA.
This includes data processed to perform medical diagnoses, DNA testing or medical research.
Data matching
This is any activity in which personal data from multiple sources is combined or compared.
The software firm Data Ladder has compiled a detailed list of reasons reasons organisations might conduct data matching, with fraud prevention and direct marketing being two of the most common.
Conducting invisible processing
This is the processing of personal data that wasn’t obtained directly from the data subject. The rules surrounding this are outlined in Article 14 of the GDPR.
Examples of invisible processing include list brokering, direct marketing and online tracking by third parties.
Tracking
This is the monitoring of individuals’ movement or behaviour. Depending on the organisation’s aims, it might track location, browsing history, health monitoring or interactions with IoT devices.
Targeting children or vulnerable people
Children and vulnerable people are given special protection under the GDPR.
This includes any personal data processing targeted at them for marketing purposes, profiling and other forms of automated decision-making.
Processing that involves risk of physical harm
The risk related to personal data breaches usually refers to financial, reputational or emotional damages. Still, you must also be aware of physical risks.
For example, if the identity of a whistle-blower was exposed, that person might fear for their safety.
Likewise, if child counselling records were exposed, the affected child’s home life could be made even worse.
Step 2: Describe the processing
You’ll need to explain precisely how and why you plan to use the personal data you are processing.
This description of the process will be useful evidence and justification for your decision whether or not to conduct a full DPIA.
Your description should outline “the nature, scope, context and purposes of the processing”.
Let’s take a look at each of these terms in more depth:
Nature
The nature of the processing is what you plan to do with the personal data.
When describing the nature of the processing, you should outline:
- How you will collect and store the data.
- Who has access to the data, and who you’ll share it with.
- Whether or not you use any processors.
- How long you will retain the data.
- What security measures you have in place to protect the data.
- Any new technologies or novel types of processing used.
Scope
The scope of the processing defines what the processing covers. When documenting the scope of the processing, you should detail:
- The nature of the personal data.
- The volume and variety of the personal data.
- The sensitivity of the personal data.
- The extent and frequency of the processing.
- The duration of the processing.
- The number of data subjects involved.
- The geographical area covered.
Context
Describing the context of the processing requires you to consider the bigger picture.
This includes any factors, internal or external, that could affect the expectations or impact, such as:
- The source of the data.
- Your relationship with the individuals.
- How much control individuals have over their data.
- How likely individuals are to expect the processing.
- Whether the individuals include children or other vulnerable people.
- Any relevant advances in technology or security.
- Any current issues of public concern.
Purpose
Finally, you’ll need to explain the reason why you want to process the personal data. This should include:
- Your legitimate interests (where relevant).
- The intended outcome for individuals.
- The expected benefits for you or society as a whole.
Step 3: Consider consultation
Unless there is a good reason not to, you are required to seek and document the views of individuals (or their representatives).
In most cases, consultation should be possible in some form. Let’s take a look at two common scenarios:
1. You’re processing the data of existing contacts
If you’re processing the data of existing contacts – say, existing customers or employees – you should design a consultation process to seek the views of those involved.
2. You plan to collect the personal data of individuals you have not yet identified
In this scenario, you may need to carry out a more general public consultation process. This could comprise market research within a certain demographic or contacting relevant consumer groups for their opinions.
What next?
If, after consultation, your DPIA decision goes against the views of the individuals, you’ll need to document your reasons for disregarding their views.
Keep in mind that consultation won’t always be appropriate.
For example, if it could compromise commercial confidentiality, or pose a risk to security, it is reasonable to forgo the process.
However, if you decide to do so, you should record this decision as part of your DPIA, with a clear explanation.
Step 4: Assess necessity and proportionality
First of all, let’s examine what’s meant by necessity and proportionality.
Necessity is a fundamental principle when assessing the lawfulness of the processing of personal data.
It requires that your processing operations, retention periods and the categories of data processed are necessary only for the purpose of the processing.
Proportionality is a general principle of EU law.
In the context of personal data processing, it requires that you only collect personal data that’s adequate and relevant for the purpose of the processing.
In accordance with the Article 29 guidelines, you should outline how you ensure data protection compliance. This is a good measure of necessity and proportionality.
Specifically, you should include relevant details of:
- Your lawful basis for the processing.
- How you plan to prevent function creep.
- How you intend to ensure data quality and data minimisation.
- How you plan to provide privacy information to individuals.
- What measures you take to ensure your processors comply.
- Any safeguards you have in place for international transfers.
Step 5: Identify and assess risks
It’s important to consider any harm or damage your processing may cause to the individuals involved. This could be physical, emotional or material.
In particular, you should consider whether the processing could contribute to significant economic or social disadvantage. This includes:
- Inability to exercise rights.
- Inability to access services or opportunities.
- Loss of control over the use of personal data.
- Discrimination.
- Identity theft or fraud.
- Financial loss.
- Reputational damage
- Physical harm.
- Loss of confidentiality.
- Re-identification of pseudonymised data.
To assess whether the risk is high, you need to take into account both its likelihood and severity of the possible harm.
A risk assessment matrix provides a simple way of doing that, quantifying the risk using a simple scoring system:
It’s worth also considering your own corporate risks, for example, the impact of regulatory action, reputational damage, or a loss of public trust.
Step 6: Identify measures to mitigate risks
Now that you have evaluated the risks posed by your processing, you then need to consider ways to reduce that risk.
This could include:
- Refraining from collecting certain types of data.
- Taking additional technological security measures to protect the data.
- Training staff to ensure that risks are anticipated and managed.
- Anonymising or pseudonymising data.
You’ll need whether the measure would reduce or eliminate the risk.
Consider the costs and benefits of each measure when deciding whether or not they are appropriate.
Step 7: Sign off and record outcomes
To conclude your DPIA, you will need to record:
- Any additional measures you plan to take.
- Whether each identified risk has been eliminated, reduced or accepted.
- The overall level of ‘residual risk’ after taking additional measures.
- Whether or not you need to consult the ICO.
It’s important to remember that you do not always have to eliminate every risk.
You might decide that some risks are acceptable, given the benefits of the processing and the difficulties of mitigation.
However, if there is still a high risk, you will need to consult the ICO before you can go ahead with the processing.
GDPR Data Protection Impact Assessment Service
If you need help carrying out DPIAs, our DPIA Service provides all the support you need.
One of our GDPR/DPA consultants will conduct a one-day on-site assessment of the data protection risks present for a new or existing single data processing operation within your organisation.
The DPIA report will detail the data protection risks identified and prioritise them according to severity, include a statement of the likely impact on the rights of individuals should those risks occur, and recommend appropriate controls to mitigate the risks and reduce them to an acceptable level.
The report will be delivered within ten working days of completing the data-gathering phase of the DPIA.
We originally published a version of this blog post in September 2019.
The post GDPR Data Protection Impact Assessments: The 7 Key Stages of the DPIA Process appeared first on IT Governance Blog.
