data protection impact assessment

Data Protection Impact Assessment: How To Perform One

Following our blog on whether an organisation needs to perform a data protection impact assessment (DPIA), we now explore EU guidance on how to perform one.

Methodology for conducting a Data Protection Impact Assessment

The General Data Protection Regulation (EU) 2016/679 (GDPR) does not define the structure and form for the performance of a DPIA. Instead it provides data controllers with the flexibility to determine a structure and form that is most suitable for their operations. However, referencing Article 35(7) and recitals 84 and 90 of the GDPR, the Data Protection Working Party (WP29) recommends the following process:

  • Prepare a description of the intended processing operations and the purposes of the processing. This includes the nature, scope, context and purpose of the processing.
  • Assess the necessity and proportionality of the processing. That is, do the plans achieve the stated purpose and are there any other reasonable ways to achieve the same result.
  • Assess the risks to the rights and freedoms of data subjects.
  • Consider the measures to address the identified risks and thereby demonstrate compliance with the GDPR.

The WP29 also encourages the development of sector-specific DPIA frameworks which will allow DPIAs to address the specifics of a particular type of processing operation (for example, particular types of data, corporate assets, potential impacts, threats and measures). In order to support data controllers in choosing a methodology, the WP29 DPIA Guidelines include "criteria for an acceptable DPIA" checklist to assist.

Documenting the Data Protection Impact Assessment

A record of the DPIA should be retained for the lifetime of the system or project. If it is determined that a DPIA does not need to be carried out, a record should also be kept of the reasons why a DPIA was not considered necessary.

Publishing the Data Protection Impact Assessment

There is no requirement to publish a DPIA under the GDPR, but the WP29 recommends that data controllers consider publishing all or part of their DPIA to help "foster trust in the controller's data processing operations and demonstrate accountability and transparency".

When deciding whether to publish all or part of their DPIA, data controllers should make sure no "commercially sensitive information" or trade secrets are being disclosed or any other specific information which could cause security risks for the controller. The ICO DPIA guidance recommends redacting or removing any sensitive information in this situation, or alternatively publishing a summary.

Timing of the Data Protection Impact Assessment

The GDPR requires DPIAs to be carried out "prior to the processing" (Articles 35(1) and (10), recitals 90 and 93, GDPR). In order to comply with the GDPR, the DPIA should begin as early as possible and, where a processing operation is subject to ongoing changes, the DPIA may need to be continuously updated to ensure that the relevant requirements of the GDPR are being complied with.

The WP29 DPIA Guidelines also state that "carrying out a DPIA is a continual process, not a one-time exercise". Postponing or not carrying out a DPIA because the DPIA may need to be updated once the processing has begun is, therefore, not acceptable practice.

When to consult the supervisory authority

The controller must consult with a supervisory authority when a DPIA reveals a high risk to individuals which cannot be mitigated or reduced. That is, despite the controller implementing or considering privacy-enhancing measures (such as encryption, if appropriate) in relation to the relevant processing, a high residual risk still arises. Once contacted for consultation, the supervisory authority has eight weeks to provide written advice which can be extended by a further six weeks if the processing is sufficiently complex.

The WP29 provides the following as examples of instances with "high residual risk":

  • Where the data subjects may encounter significant, or even irreversible, consequences, which they may not overcome. For example, an illegitimate access to data leading to a threat on the life of the data subjects, a layoff, a financial jeopardy and so on.
  • When it seems obvious that the risk will occur. For example, by not being able to reduce the number of people accessing the data because of its sharing, use or distribution modes, or when a well-known vulnerability is not patched.

Data controllers are also required to consult with the supervisory authority where:

  • Applicable member state law requires them to do so.
  • Processing is carried out for the public interest and the controllers need to obtain prior authorisation from the supervisory authority (Article 36(5), GDPR).

Consulting the ICO

In the UK, the process for consulting the ICO requires an email to be sent attaching a copy of the relevant DPIA (ICO DPIA guidance). The following should also be included:

  • A description of the role and responsibilities of any joint controllers or processors.
  • Purposes and methods of the intended processing.
  • Measures and safeguards in place.
  • Contact details of any Data Protection Officer.
  • Any other information that the ICO may require.

Once the ICO has received the relevant DPIA it will conduct a brief screening exercise to ascertain whether there is a residual high risk and, if so, will notify the sender within ten days that the DPIA has been accepted for consultation.

The ICO will then review the DPIA considering whether:

  • The processing complies with the data protection requirements.
  • Risks have been properly identified and reduced to an acceptable level.

The process should be completed within eight weeks (although this can be extended up to 14 weeks in complex cases) as set out above. Where a processing operation may potentially impact on data subjects in other member states and co-operation with them may be required, then this may result in the consultation process taking longer than 14 weeks.

Following a consultation exercise, the ICO will confirm whether:

  • The risks are acceptable and processing can take place.
  • Further measures are required to reduce the risks.
  • All the relevant risks have not been identified and the DPIA needs to be reviewed.
  • The DPIA is not compliant and needs to be repeated.
  • The processing is not GDPR-compliant and should not take place.
  • Formal enforcement action will be undertaken, for example, a limitation or ban on processing.

Sanctions for non-compliance

Failure to comply with the DPIA requirements can lead to significant fines imposed by the applicable supervisory authority. Non-compliance can result in an administrative fine of up to EUR10 million or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher

In addition to considerations listed in Article 83(2) of the GDPR, Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, published by the WP29 on 4 October 2017, suggests that supervisory authorities should consider the following factors in determining the size of the fine imposed:

  • The number of data subjects involved. The basic rule is that the more people affected, the bigger the fine.
  • The purpose of the processing, that is, the extent to which the processing upholds the two key components of the "purpose limitation" principle: purpose specification and compatible use.
  • The damage suffered by data subjects.
  • The duration of the infringement.

Practical Steps

Organisations should consider developing an internal protocol to determine when a DPIA must be carried out under the GDPR. A major challenge of complying with the GDPR's DPIA requirements is determining whether a DPIA must be carried out in respect of certain processing. Read our blog on when a DPIA needs to be carried out to help in this decision.

If you have any questions on data protection law or on any of the issues raised in this article please get in touch with one of our data protection lawyers.


DPIA

Data Protection Impact Assessment (DPIA): Do You Need One?

A data protection impact assessment (DPIA) is mandatory for some organisations who process personal data and need to be carried out before the processing begins. Find out if your data processing operations require such an assessment below. This is one of a two part blog series. Our other blog explores guidance around how an organisation should go about conducting a DPIA.

Brexit

The requirement to undertake a DPIA arises under the General Data Protection Regulation (EU) 2016/679(GDPR) implemented into UK law by the Data Protection Act 2018 2018/12. Until the end of the transition period, 31 December 2020 unless extended, EU law will essentially continue to apply in the UK. Meaning that DPIA’s will still be mandatory for some organisations up until the transition period.

Following the transition period the European Union (Withdrawal Agreement) Act and Data Protection Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, incorporate the GDPR into UK law as the UK GDPR. Minimal changes have been made to this UK version of GDPR. These changes only serve the purpose of ensuring the framework functions correctly after Brexit.

Therefore following the transition period some organisations will still need to undertake DPIA’s to comply with the UK GDPR. As it stands, these conditions are the same as under the EU GDPR.

What does a DPIA address?

The Data Protection Working Party (WP29) published its finalised guidelines on DPIAs (WP29 DPIA Guidelines) on 13 October 2017. Under the GDPR, a DPIA must be carried out when processing personal data is "likely to result in a high risk to the rights and freedoms of natural persons" (Article 35(1), (3) and (4), GDPR). Although "high risk" is not defined in the GDPR, this should be taken as referring to the risks to individuals' interests and any potential harm, including non-tangible harm, such as "significant economic or social disadvantage". Evaluating whether processing is likely to result in a high risk should involve consideration of the likelihood and severity of the potential harm.

When is a DPIA mandatory?

Article 35(3) of the GDPR provides the following examples of when a processing operation is "likely to result in high risks" and therefore require a DPIA:

  • A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
  • Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10. Special categories of personal data are defined in Article 9(1) of the GDPR to include all data revealing race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation or sex life, health and disability data, genetic data and biometric data.
  • A systematic monitoring of a publicly accessible area on a large scale.

The above list is non-exhaustive, meaning there may be processing operations that are not on the list which may pose similarly high risks and therefore a DPIA would need to be conducted.

WP29 criteria for conducting a DPIA

The WP29 DPIA Guidelines suggest that a DPIA should be carried out if processing consists of two or more of the following criteria as these are indicators of likely high-risk processing:

  • Evaluation or scoring: profiling and predicting behaviours; for example, screening customers against a credit reference database.
  • Automated decision-making with legal or similar significant effect: for example, profiling which may lead to the exclusion of, or discrimination against, individuals.
  • Systematic monitoring: for example, an employee monitoring program. The risk is increased where:
    • the individual may not be aware who is collecting their data or how it will be used; or
    • it is difficult for the individual to avoid being subject to such processing if the monitoring is in a public space.
  • Sensitive data or data of a highly personal nature: the processing of sensitive personal data including special categories of data as defined in Article 9 (and above) or data which more generally increases risks for individuals or impacts exercise of a fundamental right, such as location data and financial data.
  • Data processed on a large scale: the number of individuals concerned, the volume or range of different data items, the duration of the processing and its geographical extent are all potential components of this risk factor. I.e. the greater the volume, the greater the responsibility.
  • Matching or combining datasets: in particular, where the datasets originate from different processing operations and data subjects could not reasonably expect them to be combined.
  • Data concerning vulnerable data subjects: in cases where there is an imbalance in the relationship between the controller and the data subject including; for example, children, employees, the mentally ill, patients or the elderly.
  • Innovative use of technological or organisational solutions: the use of new technologies with novel forms of data collection and use.
  • The processing prevents an individual from exercising a right or using a service: including processing aimed at "allowing, modifying or refusing access to a service or entry into a contract"; for example, where a bank screens a customer against a credit reference database to decide whether to offer a loan.

The WP29 DPIA Guidelines also indicate that a DPIA may still be required even if the processing meets only one of the above criteria where a single criteria is enough to pose a high risk of harm to the rights and freedoms of individuals; for example, where the processing involves profiling which leads to exclusion of, or discrimination against, individuals.

Conversely, a DPIA may not be required where an organisation is confident that despite the existence of two of the above processing criteria, the processing is unlikely to result in a high risk (ICO DPIA guidance). In this case, it is important that the reasons for not undertaking a DPIA are documented.

ICO criteria for conducting a DPIA

Article 35(4) of the GDPR also requires supervisory authorities to publish a list of the kind of processing operations that are likely to be high risk and will require a DPIA.

The UK supervisory authority, the Information Commissioner’s Office (ICO), updated its DPIA guidance in January 2019. The ICO DPIA guidance states that some of these further ten types of processing operation will require a DPIA automatically, and some only when they occur in combination with one of the other items, or any of the criteria in the WP29 DPIA guidelines referred to above:

  • Innovative technology. This is processing involving the use of innovative technologies, or the novel application of existing technologies (including artificial intelligence). A DPIA is required where this processing is combined with any of the criteria from the WP29 DPIA guidelines.
  • Denial of service. That is, decisions that concern an individual's right to access a product, service, opportunity or benefit which are based on automated decision-making or involve the processing of special category data.
  • Large-scale profiling.
  • Meaning data referring to metrics related to human characteristics. Biometric authentication is used in computer science as a form of identification and access control. A DPIA is required where any processing of biometric data is combined with any of the criteria from the WP29 DPIA guidelines.
  • Processing involving genetic data (other than that processed by a GP or health professional for the provision of healthcare to the data subject). A DPIA is required where this processing is combined with any of the criteria from the WP29 DPIA guidelines.
  • Data matching. Meaning the comparison of two sets of collected data.
  • Invisible processing. That is, processing of personal data that has not been obtained directly from the data subject. A DPIA is required where this processing is combined with any of the criteria from the WP29 DPIA guidelines.
  • Processing involving tracking an individual's geolocation or behaviour. A DPIA is required where any processing of biometric data is combined with any of the criteria from the WP29 DPIA guidelines.
  • Targeting of children or other vulnerable individuals for marketing purposes, profiling or other automated decision-making or where online services are being offered directly to children.
  • Processing involving the risk of physical harm to individuals.

When is a DPIA not required?

According to the WP29, a DPIA is not required where:

  • The processing is not "likely to result in a high risk".
  • The nature, scope, context and purposes of the processing are very similar to processing for which a DPIA has already been carried out (Article 35(1), GDPR).
  • The processing operations have been authorised by a supervisory authority before May 2018.
  • The processing has a legal basis in EU or member state law, where that law regulates the specific processing operation or set of operations in question, and a DPIA has already been carried out as part of a general impact assessment in the context of that legal basis. This will require sector relevant legal research.
  • The processing is included on the optional list (established by supervisory authorities) of processing operations for which no DPIA is required (Article 35(5)).

In relation to the UK, the ICO DPIA guidance states that although the ICO has the power to establish such a list, it has not done so yet, although it may consider doing so in the future following its experience of DPIAs in practice.

Getting ahead

The GDPR requires organisations to carry out DPIA’s "prior to the processing" of personal data. Therefore if your organisation plans to undertake the processing described, or already does, in order to comply with GDPR, a DPIA should be performed as early as possible.

For information on how to perform a DPIA read our blog here.

If you have any questions on data protection law or on any of the issues raised in this article please get in touch with one of our data protection lawyers.