You should have heard of the term Data Protection Impact Assessment (DPIA) because it’s a core part of GDPR compliance, or maybe you’ve heard about it recently in the context of the NHS Coronavirus contact tracing app. As well as the recent questions about the apps effectiveness and the UK government’s u-turn on it’s approach (after testing the app on the Isle of Wight) there have been questions (from the Open Rights Group) about whether the government carried out a DPIA and the ICO publishing a lack lustre statement (and no update since) back in May:
“We are reviewing the Data Protection Impact Assessment for NHSX’s pilot of its contact tracing app in the Isle of Wight. We’ll feedback our comments as quickly as possible so that they can be usefully included in the learnings from the trial.”
If anything, DPIAs seemed to be one of the most overlooked aspects of GDPR with organisations not really knowing what they’re for or very few organisations carrying them out. This may in part, in the UK at least, between what the GDPR requires and the ICO would like you to use them for. This shouldn’t be the case in the UK though, given that pre-GDPR we had Privacy Impact Assessments which amount to the same thing. So what is a DPIA and why is it your GDPR best friend?
What’s a DPIA?
Data Protection Impact Assessments (DPIA) are essentially a risk assessment. It’s a tool that you can use to risk assess your data processing activities and identify ways to mitigate those risks. It works hand in hand with the GDPR principle of data protection by design and default, the concept that you should “bake in” (the ICO’s words, not mine) data protection into your processing activities and business processes.
How you carry out the DPIA is up to you – there’s some templates about (including this one from the ICO), you can add the risks to your risk register if you have one, or just document (as list or otherwise) what you’re doing, what the risks are and how you are going to mitigate those risks.
The practice is straightforward, consider what your data processing will involve, thinking about what kind of data, why it’s lawful for you to process the data, where the data is coming from, what you’ll be doing with it, etc. and then consider the risks from that processing and how you are going to fix those risks (and if you can’t fix those risks and they are serious risks you will need to speak to the ICO about them!).
When should a DPIA be used?
So, if you look at the GDPR (Article 35) it requires a DPIA to carried out when there is “high risk” processing such as monitoring data subjects, processing data of vulnerable individuals, large amounts of personal data, data that would be considered sensitive (e.g. special category data). But the ICO, in their guidance suggest:
Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data
Essentially, therefore, if you’re doing anything different data regardless of it’s sensitivity or risk to the data subjects you should be carrying out a DPIA. This is likely to mean when you change a system or service that you use for processing (e.g. moving from one CRM to another, upgrading an existing processing system) or are doing something new in terms of data processing then you should be carrying out a DPIA – after all, if you haven’t taken the time to consider the risks from your “new” processing, how can you demonstrate your compliance (which is required by the GDPR’s accountability principle).
I’ve mentioned DPIA to organisations a lot recently in the context of the changing ways we’re all working currently, thanks to Coronavirus. If you’re now collecting health information (e.g. COVID-status, temperature checks, etc.) of your employees for example, or interacting with the NHS track and trace scheme, or allowing employees to work from home, etc. then you should be carrying out a DPIA.
How do you carry out a DPIA?
As I’ve said already, how you carry out a DPIA, is up to you, but I’d suggest you use the ICO’s template – it asks the right questions which should act as prompts for you to pick up on the processing risks.
Why’s a DPIA my GDPR best friend forever?
Simply put it’s the best way for you to assess the risk of your data processing activity and that’s what the GDPR is all about: understanding risk to the processing of personal data and making sure you’re doing something about it. It should be a key tool in your GDPR compliance arsenal and by having a documented DPIA you’re addressing the accountability requirements of GDPR.
So, don’t think about whether you should do one or not – just get on and do one. That way you can be sure you’re doing the right thing by your customers and you can be confident you’re doing something towards being GDPR compliant, which has to be good for everyone.
What if I need help?
That’s easy. We can help you with your DPIA – either by reviewing one you’ve already carried out to see if it covers all the risks and your solutions fix those risks, or by carrying one out for you. Our GDPR UNLIMITED helpline offers you some “hands-on” help to take care of it for you, or we can just set up a consultation hour to run through it with you – your choice. You have no excuses for avoiding carrying out one.
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR