Data protection impact assessments
You may have spotted in the news that the government has said that it has not done a data protection impact assessment — a DPIA — for part of it coronavirus contact tracing system, even though (it acknowledges) it is legally obliged to do so.
What is a DPIA?
A data protection impact assessment is supposed to be a thorough analysis of a proposed activity, to work out what risks it might cause to people’s rights and freedoms (and not just data protection rights and freedoms), so that mitigations can be identified and implemented.
More than just arse covering or legal compliance, it should mean a better, safer, less risky product or service.
When must I do a DPIA?
It is a legal requirement for an organisation to carry out a DPIA where the proposed activity:
“is likely to result in a high risk to [people’s] rights and freedoms”.
In particular , if that activity uses "new technologies".
Specific situations which require a DPIA
There’s a list of things in the GDPR itself which automatically require a DPIA:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences ...; or
- a systematic monitoring of a publicly accessible area on a large scale.
Guidance from the European data protection expert group explains what, in its view, some of these terms mean.
In addition to these, the UK’s regulator, the ICO, has a list of (currently) 10 activities which trigger the requirement for a DPIA.
- Innovative technology: processing involving the use of innovative technologies, or the novel application of existing technologies (including AI). A DPIA is required where this processing is combined with any of the criteria from the European guidelines.
- Denial of service: Decisions about an individual’s access to a product, service, opportunity or benefit that is based to any extent on automated decision-making (including profiling) or involves the processing of special category data.
- Large-scale profiling: any profiling of individuals on a large scale.
- Biometrics: any processing of biometric data. A DPIA is required where this processing is combined with any of the criteria from the European guidelines.
- Genetic data: any processing of genetic data, other than that processed by an individual GP or health professional for the provision of health care direct to the data subject. A DPIA is required where this processing is combined with any of the criteria from the European guidelines.
- Data matching: combining, comparing or matching personal data obtained from multiple sources.
- Invisible processing: processing of personal data that has not been obtained direct from the data subject in circumstances where the controller considers that compliance with Article 14 would prove impossible or involve disproportionate effort. A DPIA is required where this processing is combined with any of the criteria from the European guidelines.
- Tracking: processing which involves tracking an individual’s geolocation or behaviour, including but not limited to the online environment. A DPIA is required where this processing is combined with any of the criteria from the European guidelines.
- Targeting of children or other vulnerable individuals: the use of the personal data of children or other vulnerable individuals for marketing purposes, profiling or other automated decision-making, or if you intend to offer online services directly to children.
- Risk of physical harm: where the processing is of such a nature that a personal data breach could jeopardise the [physical] health or safety of individuals.
Should I have a process for this?
It would be smart to implement a process, so that, before anyone engages in new processing of personal data, they check if a DPIA is needed. A "pre-DPIA assessment", if you will.
This should help ensure that things don't get missed, and helps you comply with your duty of “accountability”.
Why should I do a DPIA?
Well, the simplistic answer is "because the law demands it". And, while that is a reason, it's not the only, or even best, reason.
The reason you do a DPIA is so that you can rigorously assess the risks inherent in your activity, and work out how you can lessen them. You're still aiming to achieve the same goal, commercially, and the DPIA is a tool to help you find the best (or even just a better) way of achieving it.
If, having done your DPIA, the activity would still result in high risk — in other words, you can't mitigate those risks —
How do I do a DPIA?
The GDPR says that a DPIA must contain at least:
- a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
Clear? Probably not... If you’ve no idea where to start:
- read the guidance I've linked above; and
- while I don’t think it’s the best template, from a usability perspective, the ICO has published a template DPIA. (From a legal point of view, it would be hard for the ICO to criticise you for using its own template.)
If you need a have, we've helped companies do DPIAs for loads of different products and services, so get in touch if you'd like us to work with you on it.
What happens if I don't do a DPIA when one's required?
The main impact is that you expose the people who are the subject of your processing — perhaps your customers or staff — to unnecessary risks.
From a legal point of view, failing to do a DPIA when required is a breach of the GDPR, and could lead to regulatory sanctions, including fines, or — and possibly worse — an order to stop the activity.
(In the case of the government and its contact tracing strategy, it seems that the ICO is already involved and aware of the lack of a DPIA, but is acting as a "critical friend". That's not a role envisaged by the data protection framework, so eyebrows will be raised here. Don't bank on the ICO being just a "critical friend" if you fail to do a DPIA when one is required.)