Ibrahim Hasan looks at how data controllers can comply with the obligation to produce data protection impact assessments.
Article 35 of GDPR introduces a new obligation on Data Controllers to conduct a Data Protection Impact Assessment (DPIA) before carrying out personal data processing likely to result in a high risk to the rights and freedoms of individuals. If the DPIA identifies a high risk that cannot be mitigated, the Information Commissioner’s Office (ICO) must be consulted.
DPIAs are a tool which can help Data Controllers identify the most effective way to comply with their GDPR obligations and reduce the risks of harm to individuals through the misuse of their personal information. A well-managed DPIA will identify problems and allow them to be fixed at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur. DPIAs are also an important tool for accountability as they help Data Controllers to demonstrate that appropriate measures have been taken to ensure compliance with the Data Protection Principles (see Article 5(2)).
When is a DPIA needed?
Carrying out a DPIA is not mandatory for every personal data processing operation. It is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)).
Such processing, according to Article 35(3)), includes (but is not limited to):
- systematic and extensive evaluation of personal aspects relating to an individual which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significant effect the individual
- processing on a large scale of special categories of data or of personal data relating to criminal convictions or offences
- a systematic monitoring of a publically accessible area on a large scale
So what other cases will involve “high risk” processing that may require a DPIA? The ICO’s DPIA guidance states that it requires a Data Controller to do a DPIA if it plans to:
- use new technologies;
- use profiling or special category data to decide on access to services;
- profile individuals on a large scale;
- process biometric data;
- process genetic data;
- match data or combine datasets from different sources;
- collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
- track individuals’ location or behaviour;
- profile children or target marketing or online services at them; or
- process data that might endanger the individual’s physical health or safety in the event of a security breach.
The ICO guidance contains screening checklists to help Data Controllers decide when to do a DPIA. In addition they are advised to think carefully about doing a DPIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals. Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any new major project involving the use of personal data.
What information should the DPIA contain?
The GDPR sets out the minimum features of a DPIA in Article 35(7) (see also Recitals 84 to 95):
- A systematic description of the envisaged processing operations and the purposes, including, where applicable, the legitimate interests pursued by the Data Controller.
- An assessment of the necessity and proportionality of the processing in relation to the purposes.
- An assessment of the risks to Data Subjects.
- The measures in place to address the risks, including safeguards and security measures, and to demonstrate that the Data Controller is complying with GDPR.
A DPIA can address more than one project. A sample DPIA template is included with the ICO guidance and number of methodologies are referenced in the A29WP guidance (Annex 2).
When should a DPIA be conducted?
DPIAs should be conducted prior to the processing operation commencing. DPIAs are an integral part of taking a Privacy by Design approach which is emphasised in Article 25. The DPIA should be treated as a continual process, not a one-time exercise. Data Controllers should start it early and update it throughout the lifecycle of the project.
What about current data processing operations?
The GDPR comes into force on 25 May 2018, and DPIAs are legally mandatory only for processing operations that are initiated after this date. Nevertheless, the Article 29 Working Party strongly recommends carrying out DPIAs for all high-risk operations prior to this date.
The ICO says that Data Controllers should also review their existing processing operations to identify whether they currently do anything that would be considered likely high risk under the GDPR. If so, they have to be confident that they have already adequately assessed and mitigated the risks of that project. If not, they may need to conduct a DPIA now to ensure the processing complies with the GDPR. However, the ICO does not expect Data Controllers to do a new DPIA for established processing where they have already considered relevant risks and safeguards (as part of a formal or informal risk assessment process) – unless there has been a significant change to the nature, scope, context or purposes of the processing since that previous assessment.
The ICO recommends that Data Controllers document their review and reasons for not conducting a new DPIA where relevant, to help them demonstrate compliance if challenged.
Who should conduct the DPIA?
A DPIA may be conducted by the Data Controller’s own staff or an external consultant. Of course the Data Controller remains liable for ensuring it is done correctly. The Data Protection Officer’s advice, if one has been designated, must also be sought as well as the views (if appropriate) of Data Subjects or their representatives and Data Processors.
If the DPIA suggests that any identified risks cannot be managed and the residual risk remains high, the Data Controller must consult with the Information Commissioner before moving forward with the project. The ICO will give written advice within eight weeks, or 14 weeks in complex cases. If appropriate, the ICO may issue a formal warning not to process the data, or ban the processing altogether.
Regardless of whether or not consultation with the ICO is required, the Data Controller’s obligations of retaining a record of the DPIA and updating the DPIA in due course remain.
Even if ICO consultation is not required, the DPIA may be reviewed by the ICO at a later date in the event of an audit or investigation arising from the Data Controller’s use of personal data.
What are the risks of non-compliance?
Failure to carry out a DPIA when the processing is subject to a DPIA (Article 35(1) and (3)), carrying out a DPIA in an incorrect way (Article 35(2) and (7) to (9)), or failing to consult the ICO where required (Article 36(3)(e)), can each result in an administrative fine of up to 10 million euros, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Ibrahim Hasan is a solicitor and director of Act Now Training. This article first appeared on the Act Now Blog. Information on the company's courses can be found on Local Government Lawyer's courses and events section.