Guide to Data Protection Impact Assessments (DPIAs)

In this guide to DPIAs, we’ll help give you an understanding of DPIAs and why your organisation should complete them. Perhaps the first question should be…

What is a DPIA?

A Data Protection Impact Assessment (DPIA), in simple terms, is a risk assessment relating to how personal data is used and a process you may need to undertake when starting or making changes to a project or process that involves collecting, storing or otherwise using personal data.

Do we have to conduct a DPIA?

It is a legal requirement under the UK GDPR for an organisation to conduct a DPIA if it proposes to introduce new systems for handling personal data or change existing ones in such a way that they are ‘likely to result in a high risk to the rights and freedoms’ of individuals. In other words, if your organisation intends to embark on a new project or make changes to an existing system that involves personal data and it has the potential to cause harm to individuals, a DPIA should be carried out.

How do we know when to complete a DPIA?

The process should start in the early stages of the project and be continually revisited as the project progresses. Examples of scenarios in which a DPIA would be needed include installing CCTV, migrating to a different HR system or introducing a fingerprinting system for accessing your premises.

The UK GDPR and the Information Commissioner’s Office (ICO) provide numerous other situations in which a DPIA is required. If you are unsure whether a DPIA is needed in any particular circumstances, it is always a good idea to incorporate a screening questionnaire into your DPIA process. A screening questionnaire should include a series of questions that allow you to establish whether a full DPIA is required.

The benefits of a DPIA

Whilst completing a DPIA may initially feel like more red tape, it is, in fact much more than a tick-box exercise and it brings significant benefits. For example, by conducting DPIAs, your organisation will be able to identify and assess the risks to individuals at the outset of a project and again at regular intervals as the project develops, which will enable your team to build the appropriate measures to eliminate or reduce those risks as they arise.

Consequently, costly design faults relating to the privacy of personal information will be avoided. In addition to this, cultivating a culture where DPIAs are consistently conducted (where required) will have the effect of raising awareness within your organisation of the importance of data protection, helping to ensure that the privacy of personal data becomes business as usual. Therefore, DPIAs will not only help your organisation comply with the UK GDPR and satisfy the accountability principle (download our free Guide to GDPR Accountability), but they may indirectly deliver financial benefits and encourage a culture of data protection.

What could happen if you don’t conduct a DPIA

Penalties: Failing to carry out a DPIA when it is legally required, could land your organisation in hot water with the regulator, who has the power to impose hefty penalties. The maximum fine for such a contravention is up to £8.3 million or 2% of your global turnover, whichever is greater.

Reputational damage: The ICO also has the option to take other formal action that could severely damage your reputation and, therefore, your client base. It’s worth mentioning that, if a DPIA is completed but fails to properly address the risks to individuals, your organisation could still face formal action, so it’s important that the task is completed thoroughly. For example, in the case of Bridges -v- South Wales Police, the police were criticised for failing to properly assess the risks to individuals when using facial recognition technology and when the HMRC decided to use voice recognition technology, the ICO’s investigation found that there was not a DPIA in place that appropriately considered all the relevant risks. Formal action was taken in both cases.

Non-compliance & data breaches: Also, if a DPIA is not carried out or if it is not completed thoroughly, it may not properly identify the technical and organisational measures that should be implemented, leaving your organisation open to a potential personal data breach and non-compliance with data protection legislation. Many of you will, no doubt, have seen the headlines when the ICO issued huge penalty notices against Marriott Hotels and British Airways when they suffered personal data breaches.

How to conduct a DPIA

First, you must put your team together. The data controller has ultimate responsibility for carrying out a DPIA. If you employ a third-party data processor, you may need to include them in the DPIA process, and you will need to accommodate this in your contracts. It is possible to obligate your processor to carry out the DPIA but in this instance, as the controller, you are ultimately responsible.

Our advice to controllers would be to carry out their own DPIAs. Besides, doing them in collaboration with your supplier helps to maintain a transparent relationship which is best for data protection and security all around.

If you have a designated Data Protection Officer (DPO), their advice on the DPIA process must be sought by law, and this must be documented as proof of compliance. If at any time, you decide not to take the advice of the DPO you should document your reasons.

It is down to organisations to determine exactly what measures you need to implement to keep your data secure. Our recent blog The importance of the UK GDPR’s security principle aims to help you understand the importance of cyber security when it comes to data protection and the UK GDPR and some cyber security measures you should consider to support you with compliance.

Who should be involved in conducting a DPIA?

All stakeholders should be involved in the DPIA process which means, the department initiating the activity covered by the DPIA and other key stakeholders, which often include IT, the project team and third-party processors. You may also need to seek the advice of independent experts in information security, law, and potentially less obvious areas of expertise such as sociology and ethics.

If the project involves a current process, you may need to consult current data subjects through a questionnaire and if it’s for a new process you may need to carry out more general research on your target potential data subjects. Certain circumstances could mean that you don’t have to consult your customers, if, for example, you believe it would undermine commercial confidentiality, however, you must document your reasoning.

What should a DPIA include?

The DPIA should include as a minimum, a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable:

• The legitimate interest pursued by the controller;
• An assessment of the necessity and proportionality of the processing operations in relation to the purposes; and
• An assessment of the risks to the rights and freedoms of data subjects and the measures envisaged to address the risks

Necessity and proportionality are critical. You need to be able to show that the requirement is in proportion to the potential risks to data subjects.

For example (and ignoring the lawful basis for processing for now), is the use of facial recognition technology in a pub to identify who should be served next both necessary and proportionate? In truth, probably not even if it seems a good idea and the technology is available.

There is no specific layout for your DPIA but the ICO provides a sample template here and the French regulator, CNIL, has created a software tool that helps controllers through the process.

Monitoring and reviewing your DPIA

You must ensure that you incorporate the outcomes of the assessment into your project plan. Not doing so is almost worse than not doing one at all as it would clearly demonstrate to your regulatory authority that you knew exactly what was required and specifically ignored it!

Likewise, a DPIA is a process and not a one-off exercise (which is a common misunderstanding). Signing it off doesn’t make everything okay forever. Keep it under review, because processing activities, risks, the law and guidance change constantly.

Conclusion

In a nutshell, if you wish to embark upon a project that involves a change to the way in which personal data is used or introduces new personal data processing activities that could potentially result in harm to individuals, a DPIA screening questionnaire should be completed, followed by a thorough DPIA, if necessary.

The process will enable you to identify, assess and mitigate the risks associated with the project or business change and should always be completed before you start any new processing activity. As highlighted above, this should ensure no retrofitting is required as any design faults will have been identified at the outset (whilst conducting the DPIA) before the change has taken place.

Need help conducting DPIAs?

Evalian® can guide you through the DPIA process or even conduct the DPIA for you alongside key personnel involved in your project or business change. We can provide you with all the support you need to help you identify and mitigate any risks associated with your processing activity. If you would like an informal conversation on how we can assist, please get in touch. You can also view our recent case study with Abicare whom we support with their healthcare DPIAs.

​