If your business is planning a new project or venture that involves processing personal data, you may need to undertake a Data Protection Impact Assessment (DIPA) to ensure your organisation complies with the UK GDPR.
In this article, we explain everything you need to know about DPIAs, including when they should be used and what data you should be evaluating.
What is a Data Protection Impact Assessment?
A Data Protection Impact Assessment is a process used to identify and reduce the data protection risks of a project. It involves evaluating the potential impact that a particular project or activity might have on the privacy of individuals.
A DPIA can help organisations assess the data protection risks associated with their projects and take appropriate steps to mitigate those risks. A DPIA is a key part of the data protection compliance process and is required by the UK GDPR for certain types of activities.
When might a Data Protection Impact Assessment be used?
Article 35 of the GDPR provides that a DPIA must be conducted when processing personal data is "likely to result in a high risk to the rights and freedoms of natural persons" (Article 35(1), (3) and (4). The UK GDPR doesn’t define ‘high risk’, leaving it up to individual organisations to decide whether a DPIA is required.
The Guidelines on DPIAs under the General Data Protection Regulation (Regulation (EU) 2016/679) (WP29 DPIA Guidelines) indicate that a DPIA should be carried out if data processing involves two or more of the following criteria:
- Evaluating or scoring people, for example, applying a credit rating to individuals
- Automated decision making with legal (or similar) effects
- Ongoing monitoring, for example, observing employees’ internet use
- Sensitive or highly personal data (including special categories of data as defined in Article 9) or data which more generally increases risks for individuals or impacts the exercise of a fundamental right as defined in Article 4(28) of the UK GDPR (such as location data and financial data)
- Processing data on a large scale
- Matching or combining data sets, especially if the data subjects in question couldn’t reasonably expect their data to be combined in such a way
- The data concerns vulnerable people
- The use of innovative technologies with novel forms of data collection and use
- The processing prevents an individual from exercising a right or using a service, for example, being able to buy insurance cove
The ICO also requires carrying a DPIA to be completed if a project involves the following:
- Processing biometric data (in combination with any of the criteria from the European guidelines)
- Processing genetic data (in combination with any of the criteria from the European guidelines)
- Collecting personal data from a source other than the data subject without providing them with a privacy notice (‘invisible processing’) (in combination with any of the criteria from the European guidelines)
- Tracking people’s location or behaviour (in combination with any of the criteria from the European guidelines)
- Profiling children or target marketing or online services at them; or
- Processing data that might endanger someone’s physical health or safety in the event of a security breach
If you’re unsure about whether a project involves ‘high risk’ data processing, the ICO recommends that a DPIA is undertaken. Should you decide not to conduct a DPIA, ensure, you document your reasons for making your decision.
How to conduct a Data Protection Impact Assessment?
If you’ve decided that a Data Protection Impact Assessment is required, following the steps below will ensure you can prove compliance with the UK GDPR:
- Step one – Set out the nature, scope, purpose, and data processing method
- Step two – Assess the necessity and proportionality of the processing activity (ask the question, is there an alternative way to achieve the desired results without processing personal data?)
- Step three - Evaluate the risks to the rights and freedoms of data subjects
- Step four – Create policies and procedures to eliminate or mitigate any risks identified
A DPIA should be documented and retained throughout the life of the project. This is extremely important because if the ICO receives a complaint from a data subject, the DPIA can be used to demonstrate that you proactively took steps to comply with the regulations.
Are Data Protection Impact Assessments mandatory?
Data Protection Impact Assessments are a legal requirement for processing likely to be high risk. But an effective DPIA can also bring broader compliance, and financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals.
What happens if I neglect to do a mandatory Aata Processing Impact Assessment?
If you don’t comply with the DPIA requirements, the ICO can impose a significant fine on your business. Non-compliance can result in an administrative fine of up to £8.5 million or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Get legal assistance from LawBite
Establishing when a Data Protection Impact Assessment isn’t required or required and then running the evaluation in a way that complies with the UK GDPR is a complex matter that can result in your team needing legal support.
If you need advice concerning data protection and privacy law, you can book a free 15 minute call with one of our expert data protection lawyers, who can help you navigate the law and your available options - or call us on 020 3808 8314.