- What’s new under the GDPR?
- What is a DPIA?
- When do we need to do a DPIA?
- How do we carry out a DPIA?
- Do we need to consult the ICO?
The GDPR introduces a new obligation to do a DPIA before carrying out processing likely to result in high risk to individuals’ interests. If your DPIA identifies a high risk which you cannot mitigate, you must consult the ICO.
This is a key element of the new focus on accountability and data protection by design, and a more risk-based approach to compliance.
Some organisations will already carry out privacy impact assessments (PIAs) as a matter of good practice. If so, you will need to review your processes to make sure they comply with GDPR requirements. The big changes are that DPIAs are now mandatory in some cases, and there are specific requirements for content and process.
If you have not already got a PIA process, you will need to design a new DPIA process and embed this into your organisational policies and procedures.
In the run-up to 25 May 2018, you also need to review your existing processing operations and decide whether you need to do a DPIA for anything which is likely to be high risk. You will not need to do a DPIA if you have already considered the relevant risks and safeguards, unless there has been a significant change to the nature, scope, context or purposes of the processing.
A DPIA is a process to systematically analyse your processing and help you identify and minimise data protection risks. It must:
- describe the processing and your purposes;
- assess necessity and proportionality;
- identify and assess risks to individuals; and
- identify any measures to mitigate those risks and protect the data.
It does not have to eradicate the risk, but should help to minimise risks and consider whether or not they are justified.
You must do a DPIA for processing that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability more generally and building trust and engagement with individuals.
A DPIA may cover a single processing operation or a group of similar processing operations. A group of controllers can do a joint DPIA.
It’s important to embed DPIAs into your organisational processes and ensure the outcome can influence your plans. A DPIA is not a one-off exercise and should be seen as an ongoing process, kept under regular review.
DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – whether physical, material or non-material – to individuals or to society at large.
To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals. It should look at risk based on the specific nature, scope, context and purposes of the processing.
You must do a DPIA before you begin any type of processing which is “likely to result in a high risk”. This means that although the actual level of risk has not been assessed yet, you need to screen for factors which point to the potential for a widespread or serious impact on individuals.
In particular, the GDPR says you must do a DPIA if you plan to:
- use systematic and extensive profiling with significant effects;
- process special category or criminal offence data on a large scale; or
- systematically monitor publicly accessible places on a large scale.
The ICO also requires you to do a DPIA if you plan to:
- use new technologies;
- use profiling or special category data to decide on access to services;
- profile individuals on a large scale;
- process biometric data;
- process genetic data;
- match data or combine datasets from different sources;
- collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
- track individuals’ location or behaviour;
- profile children or target services at them; or
- process data that might endanger the individual’s physical health or safety in the event of a security breach.
You should also think carefully about doing a DPIA for any other processing which is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals.
Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.
A DPIA should begin early in the life of a project, before you start your processing, and run alongside the planning and development process. It should include these steps:
You must seek the advice of your data protection officer (if you have one). You should also consult with individuals and other stakeholders throughout this process.
The process is designed to be flexible and scalable. You can use or adapt our sample DPIA template, or create your own. If you want to create your own, you may want to refer to the European guidelines which set out Criteria for an acceptable DPIA.
We recommend that you publish your DPIAs, with sensitive details removed if necessary.
If you have carried out a DPIA that identifies a high risk, and you cannot take any measures to reduce this risk, you need to consult the ICO. You cannot go ahead with the processing until you have done so.
The focus is on the ‘residual risk’ after any mitigating measures have been taken. If your DPIA identified a high risk, but you have taken measures to reduce this risk so that it is no longer a high risk, you do not need to consult the ICO.
You need to complete our online form and submit a copy of your DPIA.
Once we have the information we need, we will generally respond within eight weeks (although we can extend this by a further six weeks in complex cases).
We will provide you with a written response advising you whether the risks are acceptable, or whether you need to take further action. In some cases we may advise you not to carry out the processing because we consider it would be in breach of the GDPR. In appropriate cases we may issue a formal warning or take action to ban the processing altogether.