Data Protection Impact Assessments Explained

Chaucer / Digital Viewpoints  / Data Protection Impact Assessments Explained

Under the GDPR you will be required to carry out Data Protection Impact Assessments (DPIA), involving your DPO (if you have one) where the data processing represents a “high risk to the rights and freedoms of the data subjects”. Read on to understand this requirement.

What is a DPIA?

A DPIA (also known as privacy impact assessments or PIAs) is an evaluation of the impact of a data processing operations on the protection of personal data, specifically an assessment of the probability and severity of risks of the rights and freedoms of individuals resulting from your processing operation.

It should be noted that the GDPR does not require a DPIA to be carried out for every processing operation which may result in risks for the rights and freedoms of natural persons – just where the risk is deemed particularly high.

High-risk processing is defined as processing a considerable amount of personal data at regional, national or supranational level; which affects a large number of individuals; and involves a high risk to individuals’ rights and freedoms e.g. based on the sensitivity of the processing activity.

Example: Some examples of high risk processing include:

  • Profiling a data subject using automated processes to make decisions. This refers to the risk that a potentially damaging decision is taken without human intervention during the process of that decision being made.
  • Large quantities of sensitive data where there has been explicit previous consent. This is further caveated by Member State Law which may prohibit such data from being used at all – ethnic origin, political opinions, religious beliefs, trade union memberships, genetic data, biometric data, philosophical beliefs, health data, sexual orientation is strictly prohibited.
  • Systematically monitoring publicly accessible areas on a large scale such as a shopping centre, especially when using technology such as CCTV, or for any other operations where the competent supervisory authority considers that the processing is likely to result in a high risk to the rights and freedoms of data subjects.
  • Data concerning vulnerable subjects, such as employees, children and the elderly.
  • Where public authorities or bodies intend to establish a common application or processing platform, or where several controllers plan to introduce a common application or processing environment across an industry sector or segment.

When is a DPIA definitely required? Some examples…

Sensitive data and/or data concerning susceptible subjects

Example: A hospital carrying out data processing on patient data, namely health data and genetic data.

Systematic CCTV monitoring and applying new technology to carry out processing

Example: The use of CCTV to monitor driving behaviour on motorways. The controller intends to use an intelligent video analysis system to isolate cars and use new number plate recognition software.

Systematic network/workstation monitoring

Example: A company monitoring its employees’ network activities including employee work stations and/or internet activity.

Large scale data evaluation or scoring

Example: Gathering public social media profiles where the data is to be used by private companies to build private profiles for contact purposes.

When might a DPIA not be required?*

Sending newsletters to an existing subscriber base

Example: An online magazine using a mailing list to send a generic daily digest to its subscribers.

Online advertising based on previous purchases

Example: An e-commerce website displaying adverts for car parts, involving limited profiling of user data based on past purchase behaviour, in certain areas of the site.

* Please note: Though unlikely, it is possible that one or more of the above examples could potentially need a DPIA, depending on the specific scenario. If you are unsure then we can help you to assess the requirement.

7 Steps to Plan Your Approach to DPIAs

DPIAs will play an important role under the GDPR. Data controllers must take their obligation seriously. If you identify that you need to undertake DPIAs, follow these 7 steps to establish a cyclical process to carrying out a DPIA:

  1. Give a detailed description of what data you are intending to process.
  2. Assess the necessity and proportionality.
  3. Devise the measures you intend to demonstrate to evidence compliance.
  4. Assess the risk to the rights and freedoms of the data subjects.
  5. Devise measures to address and mitigate the identified risk.
  6. Produce full documentation for auditing processes.
  7. Monitor and review the process.

DPIA Process Checklist

Use this checklist to help you implement these 7 steps by way of a process:

Establish clear and concise guidelines for what your organisation would consider to be high-risk data processing and would require closer scrutiny in the form of a DPIA.

Establish clear, practical and understandable policies, processes and templates for carrying out DPIAs and consider how DPIAs can be embedded within your organisation's overall operational/business strategy.

Consider what training programmes your organisation would need to put into place.

Consider what additional mechanisms your organisation needs to allow individuals with permissioned access to personal data to be in a position to express their views as to whether a DPIA should be carried out.

Review all your key data processing operations and identify those that will be subject to the DPIA process.

Start carrying out DPIAs as a matter of best practice within your organisation.

Consider signing up to relevant codes of conduct through the ICO that might reduce the need for DPIAs.

Establish processes for consulting with the ICO in relation to high-risk processing operations.

DPIA Elements Checklist

Use the checklist below to include the following key points in your DPIA:

A systematic description of the proposed processing operations and why you will be carrying out the processing including, where relevant, the legitimate interest performed by the controller.

An assessment of the necessity and proportionality of the processing operations in relation to the purposes.

An assessment of the risks to the rights and freedoms of data subjects that are likely to result from the processing (and, in particular, the origin, nature, particularity and severity of such risks).

The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and demonstrate compliance with the GDPR.

DPIAs are a pragmatic way for data controllers to implement data processing systems that fully comply with the GDPR. They are scalable and can take on different forms, but the GDPR sets out the basic requirements of an effective DPIA.

Data controllers should see the carrying out of a DPIA as a useful and positive activity that aids legal compliance.

If you think we can help you to implement your project or programme strategy, please call us on:
+44 (0) 203 141 8400 in UK/Europe, or ​​​+1 713 821 1783 in the USA.

Alternatively, please send us some brief information and we can discuss things in more detail.