A Data Protection Impact Assessment (DPIA) is a way of systematically analysing data processing activities to assess whether the processing is necessary and proportionate, and identify and minimise any potential risks to the rights and freedoms of data subjects.
The EU General Data Protection Regulation (GDPR) gives DPIAs much more prominence, and makes it mandatory to carry them out in certain circumstances.
The European Data Protection Board (EDPB) and the UK's Information Commissioner's Office (ICO) have published guidance on DPIAs, which make it clear that organisations must (unless certain very limited exceptions apply) conduct a DPIA if the processing: (a) is likely to result in a high risk to the rights and freedoms of individuals; or (b) involves any of the following:
- systematic and extensive evaluation of personal aspects of individuals using automated processing (including profiling) which is used to make decisions about that individual that produce legal or similarly significant effects;
- large scale processing of special category data (include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life or sexual orientation) or data relating to criminal convictions;
- systematic monitoring of a publicly accessible area on a large scale;
- use of new technologies, or using existing technology in a novel way;
- denial of access to products, services, opportunities or benefits based on automated decision-making or processing of special category data;
- large scale profiling of individuals;
- processing biometric data or genetic data;
- matching or combining datasets from different sources;
- collecting data from a source other than the individual without providing them with a privacy notice (so called "invisible processing");
- tracking an individual’s location, or behaviour;
- profiling children, or target marketing or online services at them; and
- processing data that might endanger the individual’s physical health or safety in the event of a security breach.
So how is it working in practice?
Since the GDPR came into effect, carrying out DPIAs has not been a priority for some organisations, as they have focused their efforts on areas of implementation which can seem more urgent (such as updating their privacy notices, obtaining consent, and updating contracts). Now that these most obvious concerns have been addressed or are at least well underway, attention is turning to the less prominent – though still important - areas of compliance, including DPIAs.
Below are a few of the situations we are coming across in practice:
DPIAs not being performed when they are needed
Some organisations are only just waking up to the full range of situations where a DPIA is either mandatory or likely to be required. For example, use of fingerprint entry for access or identity verification, re-use of publicly available data, or use of artificial intelligence/algorithms to automate existing processes.
DPIAs being carried out too late in the day
Companies are starting to identify correctly situations which require a DPIA, but are doing so when the project is already quite far progressed, at a stage when carrying out a DPIA is less likely to help the business fully meet the requirements of the GDPR, or will mean that costs increase as a system has to be re-specified or amended.
There seem to be a range of reasons for this. For example, at the start of a new project, a business’s design and development team may not instinctively seek the input of the person responsible for data privacy - a role often fulfilled by the legal or compliance team – because that person is simply not on the design team's radar. Or it may be that involving them right from the outset is seen as premature.
Companies need to ensure that their processes build in consideration of whether a DPIA is needed, and, if it is needed, time to conduct it and implement any recommendations. These should be supplemented by training and communication to highlight the need for business teams to build in sufficient time for DPIAs.
DPIA mitigations not being implemented
We are seeing situations where a DPIA has been conducted, has identified areas of potential high risk, and recommended steps to mitigate that risk, but the project has then proceeded without the mitigations being implemented correctly (or sometimes at all).
While this can be the result of an active decision taken by the business to accept certain risks, this should have been considered as part of the DPIA itself. More often, the problem can be inadvertent, due to a lack of a concrete plan or process to follow through the recommendations from a DPIA.
DPIAs not being kept updated
Some organisations seem to be viewing DPIAs as a one-off (or sometimes annual) event, whereas many will need regular or even continuous review. Over time, the risks in relation to a particular project may change. For example, the volume of data involved may be much greater than was anticipated initially. Alternatively, a company might decide to broaden the project in order to make additional services available to customers which are higher risk in terms of their personal data, or may decide that it wants to share customers’ personal data with third parties.
Some sectors are considering or have tried industry-wide DPIAs, where an overall DPIA is conducted by representative bodies or trade associations. The potential advantages of this approach include greater efficiency, and cost-effectiveness, as well as consistency of approach across a particular sector.
However, it is important that the analysis and the outcomes in the DPIA are appropriate for each individual organisation. In practice, there will normally need to be a bespoke, company-specific 'localisation' to enable the DPIA to meet the GDPR criteria for a particular business.
DPIAs as a marketing tool
We have seen some technology suppliers experimenting with DPIAs as a marketing tool. The EDPB Guidance anticipates that DPIAs may be used in this way. This approach may be a useful way of showing customers how a company has addressed key data privacy issues. However, if you are considering doing this, you will need to think very carefully about the commercial implications of how your DPIA is drafted, and how it works alongside the contract you have with your customers: for example, will a customer want you to warrant that the DPIA has been correctly conducted, or take it as a representation of GDPR compliance or process?
Companies are often forgetting that in some, limited, cases they need to consult with data subjects and the relevant data protection authority. DPIA templates and processes need to cater for these possibilities, albeit they will not need to be exercised in the majority of cases.
How we can help
DPIAs are a useful tool, which can drive better GDPR compliance. However, they do need to be properly embedded in business processes.
We regularly advise clients on conducting DPIAs and setting up DPIA processes. If you would like to discuss these aspects or any other issue relating to the GDPR further, please contact one of our specialists below, or your usual Osborne Clarke contact.