The Importance Of DPIA And Its 3 Types Of Processing
What is a DPIA?
A DPIA is a process designed to help you systematically analyse, identify and minimise the data protection risks of a project or plan. It is a key part of your accountability obligations under the GDPR, and when done properly helps you assess and demonstrate how you comply with all of your data protection obligations.
It does not have to eradicate all risk, but should help you minimise and determine whether or not the level of risk is acceptable in the circumstances, taking into account the benefits of what you want to achieve.
DPIAs are designed to be a flexible and scalable tool that you can apply to a wide range of sectors and projects. Conducting a DPIA does not have to be complex or time-consuming in every case, but there must be a level of rigour in proportion to the privacy risks arising.
Why are DPIAs important?
DPIAs are an essential part of your accountability obligations. Conducting a DPIA is a legal requirement for any type of processing, including certain specified types of processing that are likely to result in a high risk to the rights and freedoms of individuals. Under GDPR, failure to carry out a DPIA when required may leave you open to enforcement action, including a fine of up to €10 million, or 2% global annual turnover if higher.
By considering the risks related to your intended processing before you begin, you also support compliance with another general obligation under GDPR: data protection by design and default.
How are DPIAs used?
A DPIA can cover a single processing operation, or a group of similar processing operations. You may even be able to rely on an existing DPIA if it covered a similar processing operation with similar risks. A group of controllers can also do a joint DPIA for a group project or industry-wide initiative.
For new technologies, you may be able to use a DPIA done by the product developer to inform your own DPIA on your implementation plans.
You can use an effective DPIA throughout the development and implementation of a project or proposal, embedded into existing project management or other organisational processes.
What kind of ‘risk’ do they assess?
There is no explicit definition of ‘risk’ in the GDPR, but the various provisions on DPIAs make clear that this is about the risks to individuals’ interests. Article 35 says that a DPIA must consider “risks to the rights and freedoms of natural persons”. This includes risks to privacy and data protection rights, but also effects on other fundamental rights and interests.
What types of processing automatically require a DPIA?
There are 3 types of processing which always require a DPIA:
- Systematic and extensive profiling with significant effects:
“(a) any systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.”
- Large scale use of sensitive data:
“(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10.”
- Public monitoring:
“(c) a systematic monitoring of a publicly accessible area on a large scale.”
Are there any exceptions?
You may not have to carry out a DPIA if:
- You are processing on the basis of legal obligation or public task. However, this exception only applies if:
- you have a clear statutory basis for the processing;
- the legal provision or a statutory code specifically provides for and regulates the processing operation in question;
- you are not subject to other obligations to complete DPIAs derived from specific legislation, such as Digital Economy Act 2017; or
- a data protection risk assessment was carried out as part of the impact assessment when the legislation was adopted. This may not always be clear. So in the absence of any clear and authoritative statement on whether such an assessment was done, we recommend you err on the side of caution and do a DPIA to ensure you consider how best to mitigate any high risk.
- You have already done a substantially similar DPIA. You need to be confident that you can demonstrate that the nature, scope, context and purposes of the processing are all similar.
- The ICO issues a list of processing operations which do not require a DPIA. We have the power to establish this type of list, but we have not done so yet. We may consider a list in future in the light of our experience of how the DPIA provisions are being interpreted in practice.
What are the key elements of a DPIA process?
A DPIA should begin early in the life of a project, before you start your processing, and run alongside the planning and development process. It should include these steps:
- Step 1: identify the need for a DPIA
- Step 2: describe the processing
- Step 3: consider consultation
- Step 4: assess necessity and proportionality
- Step 5: identify and assess risks
- Step 6: identify measures to mitigate the risks
- Step 7: sign off and record outcomes
After sign-off you should integrate the outcomes from your DPIA back into your project plan, and keep your DPIA under review. Throughout this process, you should consult individuals and other stakeholders as needed.
The DPIA process is designed to be flexible and scalable. You can design a process that fits with your existing approach to managing risks and projects, as long as it contains these key elements.
You can also scale the time and resources needed for a DPIA to fit the nature of the project. It does not need to be a time-consuming process in every case.
Who is responsible for the DPIA?
You can decide who has responsibility for carrying out DPIAs in your organisation, and who signs them off. You can outsource your DPIA, but you remain responsible for it. If you have a Data Protection Officer (DPO), you must ask for their advice on your DPIA, and document it as part of the process.
You may want to ask a processor to carry out a DPIA on your behalf if they do the relevant processing operation, but again you remain responsible for it.
Who should be involved in the DPIA?
As well as the business area or individual who is leading on the project or process requiring the DPIA, you should also involve:
- a DPO, if you have one;
- information security staff;
- any processors; and
- legal advisors or other experts, where relevant.
What is the role of the DPO?
If you have a DPO, you must seek their advice. The DPO should provide advice on:
- whether you need to do a DPIA;
- how you should do a DPIA;
- whether to outsource the DPIA or do it in-house;
- what measures and safeguards you can take to mitigate risks;
- whether you’ve done the DPIA correctly; and
- the outcome of the DPIA and whether the processing can go ahead.
You should record your DPO’s advice on the DPIA. If you don’t follow their advice, you should record your reasons and ensure you can justify your decision.
DPOs must also monitor the DPIA’s ongoing performance, including how well you have implemented your planned actions to address the risks.