What Are DPIA’s
Article 35 of the General Data Protection Regulation (GDPR) focuses on the Data Protection Impact Assessment (DPIA) and what obligations organisations have in considering and carrying them out. The ICO and The Article 29 Working Party (WP29) have also created guidelines and publications on impact assessments, with the latter citing the definition of a DPIA as being: –
“A process designed to describe the processing, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data.”
DPIAs involve several stages that aim to describe the processing, determine if it is necessary, identify and assess the risks and where possible, define and develop safeguards and mechanisms to mitigate those risks. Where processing is likely to result in a high risk to individuals, an impact assessment is the tool used to protect the individual(s) and their information as far as possible.
DPIA’s are essential for meeting the governance and accountability requirements of the Regulation and aid in structure as well as compliance for those carrying them out. The DPIA enables a pre-emptive, responsible approach to assessing risks and developing mitigating controls before starting the processing activity and finding out how an individual is affected by default.
When is a DPIA Required?
Not every processing activity requires an impact assessment, however it is important to show evidence that all processing activities are being assessed for their high-risk potential and/or whether they meet the criteria of requiring a DPIA under the GDPR. In some cases, although a DPIA may not be mandatory, organisations could still find it best practice to carry out an assessment, enabling less high-risk processing operations to be assessed and the risks to individuals calculated and if possible, mitigated.
Article 35(1) of the GDPR defines when a DPIA must be carried out and notes that “where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons”, carrying out an impact assessment prior to the processing is required; with a view to identifying and assessing the impact of the noted processing operation(s) on the protection of personal data and the data subject.
Organisations are responsible for identifying which processing activities are likely to result in high risks to individuals; however, under Article 35(3) and Recital 91, the Regulation does offer some specific situations of when a DPIA is required: –
- A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person or following the processing of special categories of personal data, biometric data, or data on criminal convictions and offences or related security measures
- Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10
- A systematic monitoring of a publicly accessible area on a large scale (especially when using a new technology or optic-electronic devices or other operations defined by the supervisory authority)
As the above list is non-exhaustive, organisations will have some additional guidance in assisting with the kinds of processing operations requiring an impact assessment. These include the as of yet unpublished supervisory authority list referred to in Article 35(4) and the existing WP29’s ‘Guidelines on DPIA’s’, which is a very useful resource for understanding DPIA’s, with guidance on pages 7-10 of some situations when a DPIA would be required.
Carrying out a DPIA
It is key to understand that the impact assessment must be carried out prior to the processing and that it should be started as early as possible. A DPIA should be fluid, with many of the assessment stages being revisited throughout the project cycle. As the processing activities are defined and technical and operational decisions are made, the direction of the project can change and so reassessing earlier stages in the assessment can be pivotal.
The evolutionary design and process of a DPIA enables organisations to assess the data protection and privacy aspects of the processing operations from all approaches and angles, ensuring that every facet of the project is considered.
Article 35(7) describes the minimum expected features of a DPIA: –
- A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller
- An assessment of the necessity and proportionality of the processing operations in relation to the purposes
- An assessment of the risks to the rights and freedoms of data subjects referred to in Article 35(1)
- The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned
Recitals 84 and 90 of the Regulation respectively, provide more detail on what a DPIA should evaluate, including the origin, nature, particularity and severity of any risks; the measures, safeguards and mechanisms envisaged for mitigating those risks, and the nature, scope, context and purposes of the processing itself.
Using screening questions at the start of the assessment is an excellent way to assess from the beginning if the processing is likely to result in a high risk to individuals. There should be stages in the assessment that include creating a project brief, risk identification, evaluation of the risks, consultations, measures and mitigation actions, outcome analysis and full documentation.
The process is not just a start-finish exercise! The nature of the DPIA means that revisiting stages will often occur and those carrying out the DPIA must be flexible in their thinking and approach. Recording everything is key in a DPIA, as is involving all persons and entities who have an impact on the processing operation or project. Whilst a DPO or DPIA lead may carry out the actual assessment, gaining the insights and concerns of other departments, employees, stakeholders and processors (where applicable) is pivotal.
Considerations & Consultations
There are several other considerations and requirements that affect DPIAs and those carrying them out, some of which are noted below.
The controller is ultimately responsible for ensuring that the DPIA is effective and completed, even where another person or entity (internal or external) carries out the actual assessment.
The GDPR advises that when carrying out a DPIA, the controller must seek the advice of the Data Protection Officer (where designated). Their input and advice must be recorded on the DPIA. It is also required (where appropriate), to seek the views of the data subjects (or their representatives) on the intended processing.
A DPIAs main purpose is to assess an individual processing activity, however, the Regulation makes it clear that “A single assessment may address a set of similar processing operations that present similar high risks.” This means that if there are multiple processing operations, but the risks and outcomes are similar, then the same assessment can be used. Article 92 provides an example of the above as; “where public authorities or bodies intend to establish a common application or processing platform or where several controllers plan to introduce a common application or processing environment across an industry sector”.
The Regulation also advises that where necessary, the controller should carry out a review of the assessed processing to ensure that it is being carried out in accordance with the DPIA outcomes and mitigations. This is especially important where processing operations have resulted in a change of or to the risk.
Where the DPIA indicates that the processing would result in a high risk to individuals in the absence of safeguards, security measures and mechanisms to mitigate those risks, and where the risk cannot be mitigated by reasonable means (i.e. systems, costs, technology etc); controllers are obligated to consult with the Supervisory Authority prior to processing taking place.
This article provides an overview of the DPIA requirements and process and is not in itself a complete process document. Referring to the Regulation gives the exact criteria and requirements for impact assessments, and we have also provided some useful resource links below: –
The ICO provides a DPIA overview on their site as well as a link to their ‘Conducting PIA Code of Practice’ – https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/accountability-and-governance
The Article 29 Working Party (WP29) have a substantial guidance sheet for DPIAs – http://ec.europa.eu/newsroom/document.cfm?doc_id=44137
Know Your Compliance’s GDPR Section provides an extensive DPIA Document that covering the full assessment process, stages and templates – https://www.knowyourcompliance.com/product-category/gdpr