What is a data protection impact assessment?
A Data protection impact assessment (DPIA) is a process designed to help organisations (often known as ‘data controllers’) analyse, identify and minimise the data protection risks of a project or plan. Carrying out DPIAs is an essential component of an organisation’s accountability obligation under the UK General Data Protection Regulations (GDPR). It helps organisations assess and demonstrate how they comply with their data protection obligations.
When should a DPIA be used?
DPIAs need to be completed where the processing (eg obtaining or recording) of personal data (eg names, addresses, information about a person’s health, or information about a person’s racial or ethnic origin) is likely to result in a high risk to the rights and freedoms of individuals.
What kind of risks do DPIAs assess and what is a high risk?
A ‘risk’ is the potential for any significant physical, material or non-material harm to individuals. To determine whether a risk is ‘high risk’, the likelihood and severity of any potential harm to individuals need to be considered.
The Information Commissioner’s Office (ICO) has published a list of data processing activities that it considers likely to result in a high risk to individuals, and which require a DPIA. Examples include:
-
the processing of biometric data (eg fingerprint data/facial images)
-
processing that involves tracking an individual’s geolocation or behaviour, or
-
the combining, comparing or matching of personal data obtained from multiple sources
For more information, read the ICO’s guidance on what is considered likely to result in high risk and the ICO’s list of examples of data processing likely to result in a high risk.
Note that several types of data processing will always require a DPIA. For example, where the processing involves:
-
the extensive profiling of individuals (eg when an employer monitors staff internet habits to ensure they aren’t using it for illicit purposes)
-
monitoring of a publicly accessible area on a large scale
For more information, see the ICO’s guidance on the types of processing that automatically require a DPIA.
Where the processing of personal data is likely to result in a high risk to individuals, a DPIA needs to be carried out before any data is processed.
The ICO’s DPIA screening checklist can help determine whether a DPIA is needed.
What should a DPIA cover?
DPIAs must:
-
describe the nature, scope, context and purposes of the processing
-
provide details of any consultations
-
assess the necessity, proportionality and compliance measures of the processing
-
identify and assess risks to individuals
-
identify any additional measures to help ease those risks
-
sign-off
The processing’s nature, scope, context and purposes
The nature of the processing is what the organisation plans to do with the personal data (eg how the data is to be collected and stored, how long the data is to be kept for, and who has access to the data).
The scope of the processing is what the processing covers (eg the extent and frequency of the processing and the geographical areas covered).
The context of the processing is an assessment of the wider picture, including the current state of technology in the area (eg whether it is new), and whether there are any existing public concerns about its use.
The purpose of the processing is the reason why the organisation wants to process the personal data (eg what the intended outcomes of the processing are and the benefits that are expected).
For more information, see the ICO’s guidance on how to describe data processing.
Consultations
As part of a DPIA, unless there is a good reason not to do so, organisations should consult with and seek the views of individuals (or their representatives). Their views should be clearly documented. If it is not appropriate to consult individuals, this should be recorded together with a clear explanation as to why. For example, a consultation may not be appropriate if it would compromise commercial confidentiality.
The following parties should also be consulted as part of the DPIA:
-
any relevant internal stakeholders at the organisation (especially those with responsibility for information security)
-
independent experts (eg IT or sociology experts or ethicists), where appropriate
-
legal advisers, for specific advice on your situation (note that there is no specific requirements to do this)
If an organisation (as a data controller) engages a data processor (ie another entity to help process personal data, such as a cloud services provider), it should ask the data processor for information and assistance.
For more information, read the ICO’s guidance on consulting individuals.
Necessity, proportionality and compliance
Organisations should consider whether their plan helps to achieve their purpose and whether there is any other way to achieve the same result. The DPIA should include details of how the organisation will ensure compliance with data protection law, as this is a good measure of necessity and proportionality. Organisations should set out:
-
the lawful basis for the processing
-
how function creep (ie use or personal data for a purpose that is not the original specified purpose) will be prevented
-
how data quality will be ensured (under the GDPR, personal data has to be of good quality, ie the data has to be accurate and up-to-date)
-
how data minimisation will be ensured. Personal data should not be kept for longer than its useful purpose, and in line with your Data retention policy if one exists. Where you have a data retention policy in place, link to it in your DPIA
-
how privacy information will be provided to individuals
-
how individuals’ rights will be implemented and supported
-
how any data processors ensure compliance with data protection laws. Data processors should be engaged in the DPIA process to ensure their policies and procedures are compliant and the DPIA should set out how data protection laws are complied with (eg by providing links to the processor’s compliance and/or security webpages)
-
any safeguards they've put in place for any international transfers of data. As this can be very complex, it is recommended that you Ask a lawyer for more information when transferring data internationally
For more information, read Compliance for DPIAs and see the ICO’s guidance on assessing necessity and proportionality.
Risk
Organisations need to consider the potential impact on individuals and any harm or damage (physical, emotional or material) the processing may cause. Organisations should, for example, consider whether the data processing could contribute to:
-
the inability to exercise rights (eg privacy rights)
-
the inability to access services or opportunities
-
the loss of control over the use of personal data
-
identity theft
-
fraud
-
financial or physical harm
-
reputational damage
To determine the overall risk associated with the processing (ie whether the risk is ‘high risk’), organisations should consider the likelihood and severity of the possible harm. The likelihood of possible harm can be:
-
remote - it is possible that the risk may occur but it’s not likely
-
possible (ie reasonably possible) - the risk may happen or reoccur on a semi-regular basis
-
probable (ie more likely than not) - the risk will reoccur on a regular basis, pointing to some failure in controls
The severity of the possible harm can be:
-
minimal - involving short-term minimal embarrassment to an individual, small amounts of personal data of the data subject (ie the individual that the data relates to), and/or minimal disruption or inconvenience in service delivery to the individual
-
significant (ie some impact) - involving significant amounts of personal data being transferred outside of the organisation, leading to significant actual or potential detriment including emotional distress, as well as both physical and financial damage and/or safeguarding concerns
-
severe (ie serious harm) - involving significant amounts of personal data being transferred outside of the organisation leading to a proven detriment and/or high-risk safeguarding concerns. Data subjects may encounter significant or irreversible consequences which they may not overcome (eg layoffs or financial jeopardy)
Based on the likelihood and severity of the risk(s), overall risk needs to be determined. The overall risk can be:
-
low - this is an acceptable risk, with no further action or additional controls required. Risks at this level should be monitored and reassessed at appropriate intervals
-
medium - efforts should be made to reduce the risk, provided this is not disproportionate. The organisation should determine the need for improved control measures
-
high - immediate action must be taken to manage the risk and a number of control measures may be required
For more information, see the ICO’s guidance on identifying and assessing risks.
Risk mitigation
Organisations should consider how each risk identified could be reduced or eliminated altogether, taking into account the costs of any mitigating measures to consider whether they are appropriate.
Bear in mind that not all risks need to be eliminated - organisations may decide that some risks (even if they are high risk) may be acceptable (eg due to the benefits of processing or because mitigation is too difficult).
The ICO should be consulted if a risk that cannot be mitigated is identified. Where a risk with a high risk level is identified that cannot be mitigated, the ICO must be consulted before the processing can be started. The ICO will give written advice within 8 weeks (or 14 weeks in complex cases). If appropriate, they may issue a formal warning not to process the data or ban the processing altogether.
For more information, see the ICO’s guidance on identifying mitigating measures and guidance on consulting the ICO.
Sign-off
A DPIA should record:
-
what mitigating measures the organisation plans to take
-
whether the identified risks have been eliminated, reduced or accepted
-
the overall ‘residual risk’ after taking mitigating measures
-
whether the ICO needs to be consulted
The completed DPIA should then be provided to the organisation’s data protection officer (DPO), where one exists. The DPO should advise on whether the processing is compliant and can go ahead. If the DPO’s advice is not followed, the reasons for this need to be recorded.
What happens after a DPIA is completed?
Once a DPIA has been carried out, its outcomes should be integrated into the project plan. Any action points should clearly be identified and assigned to the party responsible for implementing them (eg under the organisation’s usual project-management process).
The ongoing performance of the DPIA should be monitored as it may be necessary to carry out another assessment before the project plans are finalised. Similarly, a DPIA may need to be repeated if there is a substantial change to the nature, scope, context or purposes of the data processing.
It is considered to be good practice to publish finalised DPIAs to abide by transparency and accountability obligations, increase trust in the organisation’s data processing activities, and facilitate and improve individuals’ abilities to exercise their rights in relation to personal data.
What if a DPIA isn’t carried out when data processing is likely to result in a high risk to individuals?
As DPIAs are an essential component of an organisation’s accountability obligations, carrying out a DPIA is a legal requirement when data is processed in a way that is likely to result in a high risk to the rights and freedoms of individuals. Under the GDPR, enforcement action can be taken against an organisation that fails to carry out a DPIA when it should have done so. Such enforcement action includes a fine of up to £8.7 million or 2% of an organisation's global annual turnover, whichever is higher.
If you have any questions or require assistance, Ask a lawyer. Consider using our GDPR compliance service to ensure your business complies with all relevant data protection laws.