Perhaps the first question should be, what is a DPIA? The short answer is that a DPIA is a Data Protection Impact Assessment, which, in simple terms, is a risk assessment relating to how personal data is used. It is a legal requirement under the UK GDPR for an organisation to conduct a DPIA if it proposes to introduce new systems for handling personal data or change existing ones in such a way that they are ‘likely to result in a high risk to the rights and freedoms’ of individuals. In other words, if your organisation intends to embark on a new project or make changes to an existing system that involves personal data and it has the potential to cause harm to individuals, a DPIA should be carried out.
The process should start in the early stages of the project and be continually revisited as the project progresses. Examples of scenarios in which a DPIA would be needed include installing CCTV, migrating to a different HR system or introducing a fingerprinting system for accessing your premises. The UK GDPR and the Information Commissioner’s Office (ICO) provide numerous other situations in which a DPIA is required. If you are unsure whether a DPIA is needed in any particular circumstances, it is always a good idea to incorporate a screening questionnaire into your DPIA process. A screening questionnaire should include a series of questions that allow you to establish whether a full DPIA is required.
The Purpose of a DPIA
Whilst completing a DPIA may initially feel like more red tape, it is, in fact much more than a tick box exercise and it brings significant benefits. For example, by conducting DPIAs, your organisation will be able to identify and assess the risks to individuals at the outset of a project and again at regular intervals as the project develops, which will enable your team to build the appropriate measures to eliminate or reduce those risks as they arise. Consequently, costly design faults relating to the privacy of personal information will be avoided. In addition to this, cultivating a culture where DPIAs are consistently conducted (where required) will have the effect of raising awareness within your organisation of the importance of data protection, helping to ensure that the privacy of personal data becomes business as usual. Therefore, DPIAs will, not only help your organisation comply with the UK GDPR and satisfy the accountability principle, but they may indirectly deliver financial benefits and encourage a culture of data protection.
What could happen if you don’t conduct a DPIA
Failing to carry out a DPIA when it is legally required, could land your organisation in hot water with the regulator, who has the power to impose hefty penalties. The maximum fine for such a contravention is up to £8.3 million or 2% of your global turnover, whichever is the greater. The ICO also has the option to take other formal action that could severely damage your reputation and, therefore, your client base. It’s worth mentioning that, if a DPIA is completed but fails to properly address the risks to individuals, your organisation could still face formal action, so it’s important that the task is completed thoroughly. For example, in the case of Bridges -v- South Wales Police, the police were criticised for failing to properly assess the risks to individuals when using facial recognition technology and when the HMRC decided to use voice recognition technology, the ICO’s investigation found that there was not a DPIA in place that appropriately considered all the relevant risks. Formal action was taken in both cases.
Also, if a DPIA is not carried out or if it is not completed thoroughly, it may not properly identify the technical and organisational measures that should be implemented, leaving your organisation open to a potential personal data breach and non-compliance with data protection legislation. Many of you will, no doubt, have seen the headlines when the ICO issued huge penalty notices against Marriott Hotels and British Airways when they suffered personal data breaches.
What does this all mean?
In a nutshell, if you wish to embark upon a project that involves a change to the way in which personal data is used or introduces new personal data processing activities that could potentially result in harm to individuals, a DPIA screening questionnaire should be completed, followed by a thorough DPIA, if necessary. The process will enable you to identify, assess and mitigate the risks associated with the project or business change and should always be completed before you start any new processing activity. As highlighted above, this should ensure no retrofitting is required as any design faults will have been identified at the outset (whilst conducting the DPIA) before the change has taken place.
evalian® can guide you through the DPIA process or even conduct the DPIA for you alongside key personnel involved in your project or business change. We can provide you with all the support you need to help you identify and mitigate any risks associated with your processing activity. If you would like an informal conversation on how we can assist, please get in touch.