A data protection impact assessment (DPIA) is mandatory for some organisations who process personal data and need to be carried out before the processing begins. Find out if your data processing operations require such an assessment below. This is one of a two part blog series. Our other blog explores guidance around how an organisation should go about conducting a DPIA.

Brexit

The requirement to undertake a DPIA arises under the General Data Protection Regulation (EU) 2016/679(GDPR) implemented into UK law by the Data Protection Act 2018 2018/12. Until the end of the transition period, 31 December 2020 unless extended, EU law will essentially continue to apply in the UK. Meaning that DPIA’s will still be mandatory for some organisations up until the transition period.

Following the transition period the European Union (Withdrawal Agreement) Act and Data Protection Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, incorporate the GDPR into UK law as the UK GDPR. Minimal changes have been made to this UK version of GDPR. These changes only serve the purpose of ensuring the framework functions correctly after Brexit.

Therefore following the transition period some organisations will still need to undertake DPIA’s to comply with the UK GDPR. As it stands, these conditions are the same as under the EU GDPR.

What does a DPIA address?

The Data Protection Working Party (WP29) published its finalised guidelines on DPIAs (WP29 DPIA Guidelines) on 13 October 2017. Under the GDPR, a DPIA must be carried out when processing personal data is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1), (3) and (4), GDPR). Although “high risk” is not defined in the GDPR, this should be taken as referring to the risks to individuals’ interests and any potential harm, including non-tangible harm, such as “significant economic or social disadvantage”. Evaluating whether processing is likely to result in a high risk should involve consideration of the likelihood and severity of the potential harm.

When is a DPIA mandatory?

Article 35(3) of the GDPR provides the following examples of when a processing operation is “likely to result in high risks” and therefore require a DPIA:

  • A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
  • Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10. Special categories of personal data are defined in Article 9(1) of the GDPR to include all data revealing race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation or sex life, health and disability data, genetic data and biometric data.
  • A systematic monitoring of a publicly accessible area on a large scale.

The above list is non-exhaustive, meaning there may be processing operations that are not on the list which may pose similarly high risks and therefore a DPIA would need to be conducted.

WP29 criteria for conducting a DPIA

The WP29 DPIA Guidelines suggest that a DPIA should be carried out if processing consists of two or more of the following criteria as these are indicators of likely high-risk processing:

  • Evaluation or scoring: profiling and predicting behaviours; for example, screening customers against a credit reference database.
  • Automated decision-making with legal or similar significant effect: for example, profiling which may lead to the exclusion of, or discrimination against, individuals.
  • Systematic monitoring: for example, an employee monitoring program. The risk is increased where:
    • the individual may not be aware who is collecting their data or how it will be used; or
    • it is difficult for the individual to avoid being subject to such processing if the monitoring is in a public space.
  • Sensitive data or data of a highly personal nature: the processing of sensitive personal data including special categories of data as defined in Article 9 (and above) or data which more generally increases risks for individuals or impacts exercise of a fundamental right, such as location data and financial data.
  • Data processed on a large scale: the number of individuals concerned, the volume or range of different data items, the duration of the processing and its geographical extent are all potential components of this risk factor. I.e. the greater the volume, the greater the responsibility.
  • Matching or combining datasets: in particular, where the datasets originate from different processing operations and data subjects could not reasonably expect them to be combined.
  • Data concerning vulnerable data subjects: in cases where there is an imbalance in the relationship between the controller and the data subject including; for example, children, employees, the mentally ill, patients or the elderly.
  • Innovative use of technological or organisational solutions: the use of new technologies with novel forms of data collection and use.
  • The processing prevents an individual from exercising a right or using a service: including processing aimed at “allowing, modifying or refusing access to a service or entry into a contract”; for example, where a bank screens a customer against a credit reference database to decide whether to offer a loan.

The WP29 DPIA Guidelines also indicate that a DPIA may still be required even if the processing meets only one of the above criteria where a single criteria is enough to pose a high risk of harm to the rights and freedoms of individuals; for example, where the processing involves profiling which leads to exclusion of, or discrimination against, individuals.

Conversely, a DPIA may not be required where an organisation is confident that despite the existence of two of the above processing criteria, the processing is unlikely to result in a high risk (ICO DPIA guidance). In this case, it is important that the reasons for not undertaking a DPIA are documented.

ICO criteria for conducting a DPIA

Article 35(4) of the GDPR also requires supervisory authorities to publish a list of the kind of processing operations that are likely to be high risk and will require a DPIA.

The UK supervisory authority, the Information Commissioner’s Office (ICO), updated its DPIA guidance in January 2019. The ICO DPIA guidance states that some of these further ten types of processing operation will require a DPIA automatically, and some only when they occur in combination with one of the other items, or any of the criteria in the WP29 DPIA guidelines referred to above:

  • Innovative technology. This is processing involving the use of innovative technologies, or the novel application of existing technologies (including artificial intelligence). A DPIA is required where this processing is combined with any of the criteria from the WP29 DPIA guidelines.
  • Denial of service. That is, decisions that concern an individual’s right to access a product, service, opportunity or benefit which are based on automated decision-making or involve the processing of special category data.
  • Large-scale profiling.
  • Meaning data referring to metrics related to human characteristics. Biometric authentication is used in computer science as a form of identification and access control. A DPIA is required where any processing of biometric data is combined with any of the criteria from the WP29 DPIA guidelines.
  • Processing involving genetic data (other than that processed by a GP or health professional for the provision of healthcare to the data subject). A DPIA is required where this processing is combined with any of the criteria from the WP29 DPIA guidelines.
  • Data matching. Meaning the comparison of two sets of collected data.
  • Invisible processing. That is, processing of personal data that has not been obtained directly from the data subject. A DPIA is required where this processing is combined with any of the criteria from the WP29 DPIA guidelines.
  • Processing involving tracking an individual’s geolocation or behaviour. A DPIA is required where any processing of biometric data is combined with any of the criteria from the WP29 DPIA guidelines.
  • Targeting of children or other vulnerable individuals for marketing purposes, profiling or other automated decision-making or where online services are being offered directly to children.
  • Processing involving the risk of physical harm to individuals.

When is a DPIA not required?

According to the WP29, a DPIA is not required where:

  • The processing is not “likely to result in a high risk”.
  • The nature, scope, context and purposes of the processing are very similar to processing for which a DPIA has already been carried out (Article 35(1), GDPR).
  • The processing operations have been authorised by a supervisory authority before May 2018.
  • The processing has a legal basis in EU or member state law, where that law regulates the specific processing operation or set of operations in question, and a DPIA has already been carried out as part of a general impact assessment in the context of that legal basis. This will require sector relevant legal research.
  • The processing is included on the optional list (established by supervisory authorities) of processing operations for which no DPIA is required (Article 35(5)).

In relation to the UK, the ICO DPIA guidance states that although the ICO has the power to establish such a list, it has not done so yet, although it may consider doing so in the future following its experience of DPIAs in practice.

Getting ahead

The GDPR requires organisations to carry out DPIA’s “prior to the processing” of personal data. Therefore if your organisation plans to undertake the processing described, or already does, in order to comply with GDPR, a DPIA should be performed as early as possible.

For information on how to perform a DPIA read our blog here.

If you have any questions on data protection law or on any of the issues raised in this article please get in touch with one of our data protection lawyers.