In this blog, Pauline Brace, Senior Data Protection and Information Security Consultant at URM, answers key questions around data protection impact assessments (DPIAs), providing detailed guidance on the best practice approach to conducting them. The blog is based on the transcript of a webinar, delivered at the end of 2023, by Pauline Brace and Lisa Dargan, Director at URM. In the webinar, Pauline and Lisa provided advice and recommendations on when you need to conduct a DPIA, how to conduct one in line with GDPR requirements, and how to avoid some of the commonly seen mistakes.
What is a data protection impact assessment (DPIA)?
A DPIA is an assessment of the likelihood and severity of impact on the rights and freedoms of individuals over the processing of their personal data. It is not about the rights and freedoms of your organisation, and it’s important that you focus on individuals’ rights in this context.
Are DPIAs mandatory and do they need to be documented?
Under the General Data Protection Regulation (GDPR) DPIAs are mandatory in some cases and must be documented, as your organisation (the data controller) is obligated to have evidential proof that a DPIA has been completed, for example, if your processing is considered to be high risk or high volume.
Is there any difference between the UK Data Protection Act (DPA), UK General Data Protection Regulation (GDPR) and the EU GDPR?
The GDPR is a directive that all the states of Europe and European Economic Area (EEA) were required to adopt into their national legislation. The UK adopted the GDPR into national law as part of the UK Data Protection Act (DPA) 2018. So, the UK has its own GDPR which has a few amendments and other countries in Europe have done the same. But the fundamental requirements, rights and obligations do not differ across all participating countries.
What is the relevance of a ‘balancing test’ to a DPIA?
The balancing test hinges on the idea that you shouldn’t override the rights of individuals by purely concentrating on your organisational needs, and whenever you process any personal data there must be a genuine reason for doing so. As such, whenever you are considering implementing new data processing operations, there are some key questions you should ask yourself. Can you achieve the same outcome without the use of personal data? Is the processing necessary and proportionate? The rights of individuals should always be balanced with the needs of an organisation, and this is the balancing test.
What are ‘data controllers’ and ‘data processors’? How do they differ? Are data controllers or data processors responsible for carrying out the DPIA?
Your organisation is a data controller if it determines the purposes for which, and means by which, personal data is processed. A data processor is usually a third party that processes data on behalf of the controller, but could be a separate part of the controller’s own organisation. Generally, the data controller is responsible for performing the DPIA, but you may sometimes require the assistance of your processors to do so. Your processor’s operations may also trigger a DPIA if they need to make substantial changes to the ‘means’ of processing they perform for you, for example, introducing new technologies or new service locations. Processers are also responsible for ensuring that any organisations they engage as sub-processors remain compliant with the legislation.
Are organisations or individuals within them accountable for GDPR compliance?
Data controllers, and data processors, through service contracts with you, must comply with the GDPR which includes an ‘accountability’ clause. This means you must take responsibility for what you (and they) do with personal data and both need to be able to provide proof that you comply with the legislation. Accountability is applicable on both an organisational and an individual level. Ultimately, the organisation is responsible for the handling of personal data by their employees and representatives. However, in some cases, individuals themselves can be called to account under the legislation, as some elements of improper processing could represent a noncompliance or even a crime.
What is ‘privacy by design and by default’?
The concept of privacy by design and by default dictates that privacy should be built into a project, solution, system development, etc. from the get-go, rather than requiring data subjects to adjust settings to meet their privacy needs. Data subjects should automatically be provided with privacy control settings which they can then weaken or enhance at their discretion. DPIAs help you ensure that you’re meeting this requirement when embarking on a new project.
When do you need to do a DPIA?
There are some situations where your organisation must complete a DPIA. A DPIA must be conducted in relation to any processing that is considered high risk, or any processing involving a high volume of data. It’s important to note that the threshold for ‘high volume’ is undefined in the legislation, so you should carefully consider if your organisation’s data processing falls into this category.
There are some prescribed conditions where the legislation (and the UK and EU supervisory authorities) provide some guidance on what they consider to be high risk. Biometric, DNA and genetic data, such as facial recognition, would be considered high risk under the GDPR. Tracking, targeting children, public monitoring, and new technologies, such as artificial intelligence, would all also fall into this category. There are many other examples, but any processing that is particularly intrusive would be considered high risk and require a DPIA if you need to process it.
A key part of meeting the accountability requirement is making sure you have documented evidence of all your decision-making, including the decision not to perform a DPIA. The Information Commissioner’s Office (ICO), as well as URM’s DP consultants, recommend that you perform a DPIA anyway, even if you don’t initially think the data processing is high risk. As you get into the detail of a project, you may discover that your organisation does, in fact, want to perform high risk data processing, despite this not seeming to be the case at first. DPIAs also help you to define your compliance requirements, and function as good evidence under the accountability principle, providing you with an opportunity to keep a record of your decisions.
Do DPIAs need to be reviewed and revisited?
In most cases, it’s advisable to keep your DPIAs under consistent review, particularly when you are undergoing system upgrades and change programmes. For example, you might want to use existing personal data for a new purpose or collect additional data, and revisiting a DPIA would help you to ensure that your processing stays compliant.
Who is involved in performing a DPIA?
A DPIA is a cross-functional process and can’t usually be performed by any one individual alone. There are key people who will need to be involved and included in discussions as you go through the DPIA process, without their input, you may struggle to capture all the necessary information around who is doing what with the personal data your organisation is processing.
If you have one appointed, you will require extensive input from your data protection officer (DPO). If you don’t have a DPO, it could be useful to seek guidance from a data protection consultant. If the data is electronic, which it almost definitely will be, IT should also be involved. Input on information security is also likely to be necessary, as well as involvement of HR if staff data is relevant to the DPIA. Typically, your suppliers or business partners (data processers) will need to be engaged if they are running any part of your services or could impact your processing.
The legislation also states that you need to consider the opinions of data subjects. In practice, this usually means asking a representative sample of your data subjects for their thoughts on the proposed data processing.
What counts as ‘processing’ data under GDPR?
‘Processing’ covers everything you could do with the personal data your organisation collects, including collecting, consulting, manipulating, storing, deleting, transferring, etc. Every action you can think of which applies to the word ‘processing’ would be covered.
What triggers a DPIA? / How do you identify the need for a DPIA?
Every scenario where a DPIA may be required needs to be considered on a case-by-case basis, however, the implementation of significant changes to your organisation will often constitute grounds for a DPIA. The legislation requires you to check that new processing is compatible with the original reason for collecting the data. This can include new processing activities or uses of existing data, new systems, applications or technologies (AI, in particular, will automatically require a DPIA), and new third-party suppliers. Acquisitions and mergers can also trigger a DPIA, for example, if you’re going to acquire new data sets or dispose of personal information assets to the acquiring organisation. In any of these situations, it is important to keep everything under review, as circumstances can change.
Does a DPIA need to be shared with your local supervisory authority?
You would need to share a DPIA with the local supervisory authority to reach out for guidance if you cannot justify processing data for your intended purposes, or if you can’t find a solution that will mitigate the risk and impact to individuals. Guidance from the ICO can take several weeks to come back, but hopefully you will have received expertise and support before you reach the point of needing to consult the ICO.
How do you conduct a DPIA?
The first step of a DPIA is describing the processing you want to perform. You will need to identify the personal information that will be used for the activity, including which category the data subjects fall into (employees, customers, potential or previous customers, etc.). All the information about what you want to do with the data, as well as what you’re already doing, needs to be gathered and recorded at this point.
Following this, you should consider whether you need to consult the data subjects for their opinion on the data processing you want to do. Then, you will need to assess whether the processing is necessary and proportionate (i.e., the balancing test), and if there are alternative ways to perform the activity without using high-risk data or a high-risk volume of data. You may find that you could use subsets of the data or apply masking techniques to block or permanently remove it before you begin processing. One of the most important principles under the GDPR is that processing must be necessary, and you will need to be able to justify any processing operations your organisation performs as such.
Next, you will need to identify the risks to the individual and their rights, including the right to have their data processed securely, so you may need to do a corresponding security risk assessment. Decisions about risk mitigation or acceptance will typically be approved by an individual at the senior level of the organisation. If you have a DPO, they can make an informed decision that senior members of your organisation can then endorse.
The DPIA outcome will include conditional or recommended countermeasures for some of the risks you have identified. You will need to work through the recommendations for compliance, ensure you have met them, and implement the corrective actions, always keeping them under review.
What are some common failings and challenges associated with DPIAs?
The most common failing we see are individuals who don’t think the DPIA is their responsibility. As well as this, many organisations only conduct a DPIA for activities they think are high risk, despite the ICO’s guidance to conduct DPIAs for all activities involving personal data.
Excessive pressure from within your organisation to meet targets and deadlines can lead to corners being cut within the DPIA, such as deciding to accept a risk without sufficient evidence to support this decision. Occasionally, DPIAs are skipped completely by organisations due to pressure to have an activity up and running within a certain timeframe.
Weak internal policy and procedures can sometimes result in systems going live or third-party contracts being signed before a DPIA has been conducted; to prevent this, it’s important to have a robust implementation process in place which can catch these issues sooner rather than later. Finally, fear and a lack of confidence in your ability to make decisions which are compliant with the legislation is often the biggest challenge you will face when conducting a DPIA. As such, you might need some guidance and expertise to assist you with your decision-making process.
How URM Can Help
With a 17-year track record of helping organisations comply with legislation such as the DPA and GDPR, URM can offer a range of consultancy services to help you achieve and maintain full GDPR compliance, including assistance with DPIAs. Our data protection (DP) and GDPR consultants can draw on years of experience to advise you on when you should conduct a DPIA, how to do so and what the outputs should be. As well as this, they can suggest any measures that would help mitigate the risks you have identified and can provide a review service to ensure you have taken the right actions.
However, if you need support with other aspects of compliance, URM’s GDPR consultancy services extend well beyond DPIAs. Our virtual DPO service provides you with access to a team of highly experienced and qualified DP practitioners, each with their own area of GDPR consultancy in which they specialise. We can also conduct a gap analysis of your organisation’s DP practices to help you understand your current levels of compliance, identify gaps and vulnerabilities, and assist with your development and implementation of a prioritised remediation plan. As well as this, we can support you in developing a record of processing activities (ROPA), allowing you to identify not only any high risk processing of personal data, but also the steps you can take to mitigate those risks. If your organisation has received a data subject access request (DSAR), URM can help you process this request in a way that is compliant with the legislation by offering a GDPR DSAR redaction service. Understanding how to complete a DSAR, determining whether a DSAR request is valid or not, and verifying the identity of the data subject can require guidance and practice. As such, URM also offers a 1 day ‘How to Manage DSARs’ training course which covers all of these areas and more.
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
On 2 February 2022, the Information Commissioner’s Office (ICO) laid before Parliament changes around restricted international personal data transfers.
URM’s blog outlines the DP concerns around the use of facial recognition technology (FRT), and offers guidance on making sure your FRT use is GDPR compliant.
There is some confusion about the difference between personal data and sensitive personal data and even whether sensitive personal data exists as a term!