Picture the scene: you’re a data protection manager logging on to start your day. You already have an idea of what you are working on for this wet Wednesday in the office. You check your emails, and there among the regulars and the expected, is an email from “I’manewby@paysthewages.com” in the HR department whose opening line says…
“We want to roll out this fantastic app we have found which can predict everything we need for every return we will ever work on, and it does it in such a quick and brilliant way we have already paid a deposit to “allwecandotogether” for 200 licences. It was suggested that I ran it past you before we took delivery and paid the final installment. Could you please cast an eye over it, sign it off and return it to me by Friday noon at the latest otherwise we lose the deposit. Thanks”
Your first thought? “No words!”
Your second thought? “Bet they haven’t done a DPIA.”
Your third thought? “Better prepare them – ask if they have half an hour free this morning when I can explain.”
The probable outcome of this situation is that you, as the DP manager, will pull out all the stops, explain things in simple language and try to help this person and their team to get their app approved by the end of the week. But the first thing you MUST do is complete a DPIA for this activity as soon as possible.
What is a Data Protection Impact Assessment?
A Data Protection Impact Assessment. The words are kind of self explanatory – “impact assessment” – what happens if…?
A DPIA is a risk assessment to identify and minimise risks for a project or plan where personal data is being processed.
Let’s take this scenario for instance – an app for use in the HR department – will employee personal data be entered into the app? Maybe even special category data? Where will the information be transferred to? Where will it be held? Who will have access to it? What if it is not securely managed? What devices will it be used from? How long does the provider of the app hold on to the information? Has your organisation got the necessary lawful bases for using a third party for processing your employee data? Is it covered in your privacy notice? Is it proportionate for the purpose it is being used for?
All these questions and more must be answered BEFORE any kind of app is used with personal data.
More and more AI is being used in applications and business in general, which is a further reason to complete DPIAs. It needs to be evidenced if AI is used because of a different set of risks which come with the territory.
When should a DPIA be completed?
The legislation states that the DPIA should be completed prior to the processing – meaning this should be done as part of the decision-making process, not as an afterthought.
The UK GDPR clearly states that a DPIA is a legal requirement for any type of processing where there may be a “high risk to the rights and freedoms of individuals”. Additionally, the ICO publishes a list of processing activities which it considers to be automatically high risk, meaning that a DPIA is mandatory.
A DPIA is a tool which should be used before any new project or change of processing activities takes place with personal data. The point of completing a DPIA is to consider risks, to be compliant with the law, and to incorporate data protection by design and default. For it to be beneficial and really inform your decision making, it’s key to do them in a timely manner. Completing a DPIA after the fact means you could identify risks that you are not willing to accept, or unable to mitigate. If you have already signed up to an app, for example, it could be too late to cancel.
Why complete a DPIA?
Consistent use of DPIAs encourages good privacy culture in organisations. DPIAs are a big part of showing your organisation is accountable which is a key feature of the UK GDPR, as per Article 5.
It’s a huge advantage to be able to show completed DPIAs to auditors or new clients who want to know you care about personal data. To get everyone thinking about completing DPIAs before new projects are implemented, as standard practice, is a great demonstration of how you value personal data. Some organisations actually publish DPIAs to show transparency and encourage trust from data subjects and build a reputation for compliance with privacy legislation.
The Information Commissioner has a DPIA template which any organisation can use, but of course, tailored impact assessments can be used too if they cover the basics. They don’t need to be arduous or complicated.
What do they include?
Article 35 dictates the specifics. But many DPIA templates will break those specifics down into more manageable questions, making it easier for you to consider the appropriate things.
Here’s a sample of the sort of questions that you might come across:
- What are the aims of the project?
- Why type of processing does it involve?
- How will the information be collected, used, stored and deleted?
- What’s the source of the data?
- Will it be shared with any third party?
- What is the nature of the data?
- Does it include special category or criminal offence data?
- How much data will be used?
- How often will it be processed?
- How long will it be kept?
- How many individuals will it affect?
- What’s your relationship with the individuals?
- Would they expect you to be using their data in this way?
- Does the processing include children’s or vulnerable groups?
- What are the security arrangements around the data?
- What are the benefits of processing in the proposed way?
- What is the lawful basis for processing in this way?
- Is there another way to achieve the same outcome?
- How will you ensure data quality and data minimisation?
- What will you tell individuals about the processing?
- What safeguards are in place?
The list might look daunting, but it’s a comprehensive way to really consider the processing, and think about the potential risks that the new activity may impose on your data subjects. Templates make the process easier, and offer granular sections to enter specific information.
Who should complete a DPIA?
The individual that knows the most about the new activity is best placed to do this first draft, they may want to consult others, including the data protection team. Once the DPIA is completed, it should be escalated to the Data Protection Officer (DPO), or equivalent, to be reviewed and filed.
Also, don’t forget that things can change, so make sure you review the DPIAs periodically to ensure they are accurate and consider any new developments. We would recommend that this is done at least annually, or more often if necessary.
In short, new processing of personal data needs to be assessed to protect the rights and freedoms of individuals. A DPIA is a tool which is used to do just that. It should be the first thing completed on every project or purchase. DPIAs are invaluable for compliance and transparency, and help to ensure your organisation is effectively identifying, mitigating, and monitoring risks.
Can I outsource completing DPIAs?
Yes – in fact, DPAS can offer to complete DPIAs for your organisation. We can offer guidance and support for you to do your own DPIAs, and we also offer training where DPIAs are covered in greater depth. They shouldn’t be scary, but rather part of the very first process when working with personal data. If your organisation needs support with completing DPIAs, or if you need training in data protection (including DPIAs), get in touch with our team and we’ll be happy to help you.
Written by Teresa Gudge
