Regular readers of 43Legal’s blog will have seen us mention the importance of conducting a Data Protection Impact Assessment (DPIA) to ensure compliance with the UK GDPR. Understanding what a DPIA is and how to undertake one correctly is important, not only in terms of risk management, but for maintaining trust and confidence with your organisation’s stakeholders, including investors, partners, and customers.

Defining a Data Protection Impact Assessment

According to the Information Commissioner’s Office (ICO), a DPIA is a process designed to help identify and reduce data protection risks within a project.

When is a DPIA Necessary?

Under Article 35 of the UK GDPR, a DPIA is required when data processing activities are “likely to result in a high risk to the rights and freedoms of natural persons.” The term ‘high risk’ is not explicitly defined, leaving businesses to determine the necessity of a DPIA. However, guidance on DPIAs provided by the General Data Protection Regulation (WP29 DPIA Guidelines) suggest that a DPIA is necessary if the processing meets two or more of the following criteria:

• Assessment or scoring: Such as credit scoring.
• Automated decision-making: With significant effects.
• Systematic monitoring: For example, monitoring employees’ online activities.
• Processing sensitive data: Including special categories of data as per Article 9 or data that generally increases risks for individuals, like location or financial data.
• Large scale processing: Handling data on a substantial scale.
• Combining data sets: Especially when the data subjects might not expect their data to be combined.
• Data concerning vulnerable individuals: Such as children or the elderly.
• Use of innovative technology: With new forms of data collection.
• Restricting rights: Preventing people from exercising a right or using a service.

The ICO also requires a DPIA if the project involves:

• Processing biometric or genetic data.
• Collecting personal data without informing the data subject.
• Tracking location or behaviour.
• Profiling or targeting marketing towards children.
• Processing data that could compromise physical health or safety if breached.

Uncertainty regarding whether the processing is ‘high risk’

If there is uncertainty about whether the data processing involves ‘high risk,’ the ICO advises conducting a DPIA. If a decision is made against performing a DPIA, it is crucial to document the rationale behind this decision. Recital 91 advises that a DPIA should be made where personal data is processed for profiling matters related to security or controlling criminal activity. In addition, an assessment should be carried out where data is processed to monitor public areas on a large scale, especially when using optic-electronic devices or in any other situation where data processing could affect the rights and freedoms of the data subjects.

Steps to Conducting a Data Protection Impact Assessment

In her article, A practical guide to conducting data protection impact assessments[1], published in the Privacy and Data Protection Journal, Sandy Tsakiridi states:

“A DPIA should be carried out sufficiently early and in any event, prior to the actual processing, which is in line with the privacy by design and by default requirement of the GDPR. From an operational point of view, considering DPIAs at the outset of a new project (as opposed to enacting changes further down the line) will require less time and resources. Therefore, DPIAs should not be an afterthought, but rather addressed at the planning stage.”

She then goes on to say:

“Many organisations do not have a defined process in place, or conduct assessments on an ad hoc basis. This is time-consuming, costly and does not guarantee consistency. The GDPR does not lay down the exact form and structure of DPIAs, so organisations are free to develop and follow a format and methodology that is appropriate, depending on their size, the nature and complexity of processing as well as their resources. The Working Party guidance includes annexes with examples of frameworks and criteria for an acceptable DPIA.”

The ICO provides guidance stating that any major project which requires the processing of personal data should have a DPIA attached, which should contain the following elements:

• A description of the nature, scope, context, and purposes of the processing;
• An assessment of the necessity, proportionality, and compliance measures;
• Identification and assessment of the risks to individuals; and
• Identification of any additional measures to mitigate those risks.

According to the ICO, a “good” DPIA will provide proof that:

• The organisation has considered the risks related to the intended processing; and
• The broader data protection obligations associated with the project have been met.

The DPIA should be documented and maintained throughout the project’s duration. This documentation can be crucial if the ICO investigates a complaint, because it demonstrates proactive compliance with the regulations.

Consequences of Failing to Conduct a DPIA

As well the time, stress, cost, and reputational damage associated with an ICO investigation, the UK GDPR provides for hefty financial penalties should an organisation commit a breach:

• The standard maximum amount is £8.7 million or, in the case of an undertaking, is the higher of either £8.7 million or 2% of the undertaking’s total worldwide annual turnover in the preceding financial year.
• The higher maximum amount is £17.5 million or, in the case of an undertaking, is the higher of either £17.5 million or 4% of the undertaking’s total worldwide annual turnover in the preceding financial year.

Conducting a DPIA is not just about legal compliance; it is a crucial step in safeguarding people’s personal information and ensuring the integrity of your business practices.

To find out more about any matters discussed in this article, please email us at [email protected] or phone 0121 249 2400.

The content of this article is for general information only.  It is not, and should not be taken as, legal advice.  If you require any further information in relation to this article, please contact 43Legal.

[1] P. & D.P. 2018, 18(7), 13-15