What is a data protection impact assessment?
A Data protection impact assessment (DPIA) is a process designed to help organisations (often known as ‘data controllers’) identify and minimise the data protection risks of a project. A DPIA is an essential component of an organisation’s accountability obligation under the UK General Data Protection Regulations (GDPR) and helps organisations assess and demonstrate how they comply with their data protection obligations.
When should a DPIA be used?
DPIAs need to be completed where the processing (eg obtaining or recording) of personal data (eg names, addresses and information about racial or ethnic origin) is likely to result in a high risk to the rights and freedoms of individuals. A ‘risk’ is the potential for any significant physical, material or non-material harm to individuals. To determine whether a risk is ‘high risk’, the likelihood and severity of any potential harm to individuals need to be considered.
The Information Commissioner’s Office (ICO) has published a list of data processing activities that it considers likely to result in a high risk to individuals, and which require a DPIA. Examples include the processing of biometric data (eg fingerprint data/facial images), processing that involves tracking an individual’s geolocation or behaviour and the combining, comparing or matching of personal data obtained from multiple sources. For more information, see the ICO’s guidance and list of examples of data processing likely to result in a high risk.
Note that several types of data processing will always require a DPIA. For example, where the processing involves the extensive profiling of individuals (eg employers monitoring staff internet habits to ensure they aren’t using it for illicit purposes) or where the processing involves monitoring of a publicly accessible area on a large scale. For more information, see the ICO’s guidance.
Where the processing of personal data is likely to result in a high risk to individuals, a DPIA needs to be carried out before any data is processed.
The ICO’s DPIA screening checklist can help determine whether a DPIA is needed.
What should a DPIA cover?
DPIAs must:
-
describe the nature, scope, context and purposes of the processing
-
provide details of any consultations
-
assess the necessity, proportionality and compliance measures of the processing
-
identify and assess risks to individuals
-
identify any additional measures to help ease those risks
-
sign-off
The processing’s nature, scope, context and purposes
The nature of the processing is what the organisation plans to do with the personal data (eg how the data is to be collected and stored, how long the data is to be kept and who has access to the data).
The scope of the processing is what the processing covers (eg the extent and frequency of the processing and the geographical areas covered).
The context of the processing is an assessment of the wider picture, including the current state of technology in the area (eg whether it is new), and whether there are any existing public concerns about its use.
The purpose of the processing is the reason why the organisation wants to process the personal data (eg what the intended outcomes of the processing are and the benefits that are expected).
For more information, read the ICO’s guidance.
Consultations
The following parties should be consulted as part of the DPIA:
-
any relevant internal stakeholders at the organisation (especially those with responsibility for information security)
-
independent experts (eg IT, sociology or ethicists experts), where appropriate
-
legal advisers for specific advice on your situation (note that there is no specific requirements to do so)
For more information, read the ICO’s guidance.
Necessity, proportionality and compliance
Organisations should consider whether their plan helps to achieve their purpose and if there is any other way to achieve the same result. The DPIA should include details of how the organisation will ensure compliance with data protection law, as this is a good measure of necessity and proportionality. Organisations should set out:
-
the lawful basis for the processing
-
how function creep (ie use or personal data for a purpose that is not the original specified purpose) will be prevented
-
how data quality will be ensured (under the GDPR, personal data has to be of good quality, ie the data has to be accurate and up-to-date)
-
how data minimisation will be ensured (personal data should not be kept for longer than its useful purpose in line with your data retention policy, if one exists. Where you have a data retention policy in place, link to it in your DPIA). Ask a lawyer if you require a data retention policy
-
how privacy information will be provided to individuals
-
how individuals’ rights will be implemented and supported
-
how any data processors (ie anyone who carries out the instructions of the data controller in its processing of personal data) ensure compliance with data protection laws. Data processors should be engaged in the DPIA process to ensure their policies and procedures are compliant and the DPIA should set out how data protection laws are complied with (eg by providing links to the processor’s compliance and/or security webpages)
-
any safeguards they've put in place for any international transfers of data. As this can be very complex it is recommended that you Ask a lawyer for more information
For more information, read Compliance for DPIAs and the ICO’s guidance.
Risk
Organisations need to consider the potential impact on individuals and any harm or damage (physical, emotional or material) the processing may cause. Organisations should, for example, consider whether the data processing could contribute to:
-
the inability to exercise rights (eg privacy rights)
-
the inability to access services/opportunities
-
the loss of control over the use of personal data
-
discrimination
-
identity theft/fraud
-
financial or physical harm
To determine the overall risk associated with the processing (ie whether the risk is ‘high risk’), organisations should consider the likelihood and severity of the possible harm. The likelihood of possible harm can be:
-
remote - it is possible that the risk may occur but it’s not likely
-
possible - the risk may happen or reoccur on a semi-regular basis
-
probable - the risk will reoccur on a regular basis, pointing to some failure in controls
The severity of the possible harm can be:
-
minimal - involving short-term minimal embarrassment to an individual, small amounts of personal data of the data subject (ie the individual the data relates to) and minimal disruption or inconvenience in the service delivery to the individual
-
significant - involving significant amounts of personal data being transferred outside of the organisation, leading to significant actual or potential detriment including emotional distress, as well as both physical and financial damage) and/or safeguarding concerns
-
severe - involving significant amounts of personal data being transferred outside of the organisation leading to a proven detriment and/or high risk safeguarding concerns. Data subjects may encounter significant or irreversible consequences which they may not overcome (eg layoffs or financial jeopardy)
Based on the likelihood and severity of the risk(s), the overall risk needs to be determined. The overall risk can be:
-
low - this is an acceptable risk, with no further action or additional controls required. Risks at this level should be monitored and reassessed at appropriate intervals
-
medium - efforts should be made to reduce the risk, provided this is not disproportionate. The organisation should determine the need for improved control measures
-
high - immediate action must be taken to manage the risk and a number of control measures may be required
For more information, read the ICO’s guidance.
Risk mitigation
Organisations should consider how each risk identified could be reduced or eliminated altogether, taking into account the costs of any mitigating measures to consider whether they are appropriate.
Bear in mind that not all risks need to be eliminated - organisations may decide that some risks (even if they are high risk) may be acceptable (eg due to the benefits of processing or because mitigation is too difficult). The ICO should be consulted if a risk that cannot be mitigated is identified. Where a risk with a high risk level is identified that cannot be mitigated, the ICO must be consulted before the processing can be started. The ICO will give written advice within 8 weeks (or 14 weeks in complex cases). If appropriate, they may issue a formal warning not to process the data, or ban the processing altogether.
For more information, read the ICO’s guidance.
Sign-off
A DPIA should record:
-
what mitigating measures the organisation plans to take
-
whether the identified risks have been eliminated, reduced or accepted
-
the overall ‘residual risk’ after taking mitigating measures
-
whether the ICO needs to be consulted
The completed DPIA should then be provided to the organisation’s data protection officer (DPO), where one exists. The DPO should advise on whether the processing is compliant and can go ahead. If the DPO’s advice is not followed, the reasons for this need to be recorded.
What happens after a DPIA is completed?
Once a DPIA has been carried out, its outcomes should be integrated into the project plan. Any action points should clearly be identified and assigned to the party responsible for implementing them (eg under the organisation’s usual project-management process).
The ongoing performance of the DPIA should be monitored as it may be necessary to carry out another assessment before the project plans are finalised. Similarly, a DPIA may need to be repeated if there is a substantial change to the nature, scope, context or purposes of the data processing.
It is considered to be good practice to publish finalised DPIAs to abide by transparency and accountability obligations, increase trust in the organisation’s data processing activities and facilitate and improve individuals’ ability to exercise their rights in relation to personal data.
What happens if a DPIA is not carried out?
As DPIAs are an essential component of an organisation’s accountability obligations, carrying out a DPIA is a legal requirement when data is processed in a way that is likely to result in a high risk to the rights and freedoms of individuals. Under the GDPR, if an organisation fails to carry out a DPIA when it should have done so, enforcement action can be taken. Such enforcement action includes a fine of up to £8.7 million or 2% of an organisation's global annual turnover, whichever is higher.
If you have any questions or require assistance, Ask a lawyer.