Skip to main content

Data Protection Impact Assessments (DPIAs), where do I start?

31 May 2024
Impact. Low - Moderate - High

 

What is a DPIA?

In layman’s terms, a DPIA is a risk assessment to ensure that your chosen system or service complies with Data Protection law. If you are procuring a new system /platform /App /service which will be collecting or using personal data, and the processing is considered high risk, under the UK GDPR it is a legal requirement that a DPIA is completed in the planning stages.

 

When do we need a DPIA?

UK GDPR Article 35(3) lists three examples of types of processing that automatically requires a DPIA, which are:

  1. a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
  2. processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10
  3. a systematic monitoring of a publicly accessible area on a large scale.

The Information Commissioners Office (ICO) has published a list under Article 35(4) setting out ten more:

  1. Innovative technology – new or changes to existing technologies
  2. Denial of service – covers decisions about access to products, services, opportunities or benefits, based on automated processing or involves special category personal data
  3. Large-scale Profiling - any profiling of individuals on a large scale
  4. Biometric use – any uses
  5. Genetic data use – excludes provision of health services
  6. Data Matching – combining, comparing or matching from multiple sources
  7. Invisible Processing – individuals are not aware of the processing
  8. Tracking – geolocation nor behaviours
  9. Targeting of children or other vulnerable individuals – for marketing, profiling, automated decisions or online services
  10. Risk of physical harm – in the event of a data breach

There are also European guidelines with some criteria to help you identify other likely high risk processing.

Once completed, DPIAs should be reviewed periodically. This is because the way you use a system or service may change; or there may be new mitigations available for risks you have identified; or there may be new or emerging risks you did not originally identify which need to be considered. 

You should carry out a review of the services and systems your organisation uses to identify where personal data is being processed and a DPIA is necessary. You should retrospectively complete DPIAs where they are missing, and ensure going forward that DPIAs are completed in the planning stages of any new processing activities.

 

What should be included in a DPIA?

Your DPIA should as a minimum cover the following:

  • Record those involved:
    • Data Controller
    • Data Protection Officer (if you have appointed one)
    • The business area the processing will take place in
    • Relevant project team members
  • The name of the processing activity (service/system).
  • The date the assessment commenced
  • Describe the activity, including:
    • Why you want to carry out the processing
    • The end-to-end process
    • Who the data subjects will be, e.g., staff, customers, children
    • How many data subjects you anticipate will be affected by the processing
    • What harm might arise for data subjects
    • What would happen if you did not carry out this processing
    • Whether the processing relies on support from a data processor, and if so, what support you need from them
  • Describe the personal data and special category personal data involved in the processing
  • Confirm whether any personal data relates to criminal convictions or offences
  • Set out your legal basis:
    • under article 6 of the UK GDPR
    • under article 9 of the UK GDPR (if using special category personal data)
    • under Part 3 of the Data Protection Act 2018 (if you are processing data for law enforcement purposes)
  • Set out responsibilities of the data processors (if using), including ICO registration references where they operate in the UK
  • State whether there has been any consultation with data subjects and explain why
  • Describe how the processing will enable the exercise of the data subject rights
  • Set out what security measures are being put in place to protect the data during the processing activity
  • Set out whether the processing will be covered by a contract or data sharing agreement; including references
  • Identify and document where the processing will take place. If it is outside the UK detail what appropriate safeguard you are relying on for the processing
  • Consider records management:
    • Assign an asset manager and add to the information asset register
    • Capture in your Records of Processing Activity (if you are required to have them)
    • Ensure a privacy notice is in place that covers the processing activity
  • Identify any risks in the processing and detail the mitigations for those risks
  • Gain approval from the relevant senior person in your organisation and your DPO if you have appointed one
  • Set out when reviews will be conducted and by who.

If you or your organisation are new to DPIAs the ICO provide a template to get you started.

 

When do we need to consult with the ICO?

If you have completed a DPIA but cannot mitigate the risks you have identified, you cannot start the processing until you have consulted with the ICO.

You will need to send the ICO a copy of your DPIA. You will receive an acknowledgement from the ICO and they will let you know within 10 days whether they have accepted your DPIA for Prior Consultation and why.

It can take up to 14 weeks for the ICO to conduct their consultation and you may be required to provide additional information. If you do not provide the requested data the ICO cannot complete the consultation process.

The possible outcomes from consultation are:

  • The risks are sufficiently mitigated and you can commence the processing
  • Advice on additional mitigations prior to processing commencing
  • An official warning may be received explaining concerns that your processing will contravene the UK GDPR, and recommendations
  • The ICO impose a limitation or ban on your proposed processing.

For further support with information governance please contact IGS@essex.gov.uk