What is a Data Protection Impact Assessment?

With the introduction of the EU’s General Data Protection Regulation and the recent update of the UK’s Data Protection Act, a greater focus has been placed on businesses to be more accountable for the safety of data and to build data protection into their products and processes right from the design stages.

To facilitate this new focus, businesses are being encouraged to assess their level of risk and under certain circumstances, it is even a legal requirement.

What is a data protection impact assessment?

A data protection impact assessment (DPIA) is a tool or process that allows for the identification and classification of risks within a project, system or business. It helps organisations to determine if their processes would compromise the privacy of their customers, staff or anyone on whom they hold, collect or process data.

A risk in this case is any possible situation where the rights and freedoms of a person are endangered. Such risks can range in size as well as scope in that they encompass anything that may harm (be that physical or otherwise) individuals or society at large. To classify those risks, you must consider the likelihood of them occurring and the severity of the damage should the worst occur.

In addition to identifying risk, a DPIA also allows for mitigation of risk through the evaluation of alternative processes, or adjustment of existing processes.

The overall aim of a DPIA is to minimise the impact of data protection risks and to prevent them if reasonably possible. Performing a DPIA does not mean that all risks to data have been eradicated, but allows decisions to be made as to whether the level of risk is acceptable for any instances where preventative measures have not been (or could not be) put in place.

Performing DPIAs within your business can facilitate compliance with certifications such as ISO 27001 or BS 10012, provide financial benefits through a reduction in fines for breaching data protection laws, and help your business demonstrate accountability leading to the reputational benefits of building trust with customers and stakeholders.

Who should carry out DPIAs?

As DPIA is such a useful tool to help businesses comply with data protection law, organisations such as the Information Commissioner’s Office (ICO) recommend that they be performed by anyone who processes or stores personal data.

Performing a DPIA is only mandatory for processes, systems or projects for which there is a high risk of damage to the rights and freedoms of an individual.

High risk in this context is a process, system or project that:

  • Uses innovative technologies
  • Uses extensive automated processing or profiling to make decisions (such as access to a service) such as when data is being matched or combined from different datasets
  • Collects personal data from a source other than the individual without having first provided them with a privacy notice (‘invisible processing’)
  • Processes special category or criminal offence data on a large scale e.g. targeting children for the purposes of marketing or selling online services
  • Systematically monitors publicly accessible places on a large scale such as tracking an individuals’ location or behaviour
  • Endangers the health or safety of an individual should there be a security breach e.g. if biometric or genetic data is processed

Are DPIAs one-off tasks?

It should be noted that the performance of a DPIA is not a one-off task – to be truly effective they must be performed every time a change is made to any processes which affects the collection, storage or processing of data. DPIAs should also be regularly reviewed to ensure they remain suitable for the business and the reduction of risk.

Embedding DPIAs into your business processes will mean that they are performed and ensure the outcome can influence your plans.

In general, it is considered good practice to perform a DPIA for any project which requires the processing, storage or collection of personal data. Other situations where it is good practice would be when:

  • a new IT system has been introduced for the storage or access of personal information;
  • there are plans to share data with other organisations, even if they are within the same group of companies;
  • particular demographics are being identified and automated decisions on them are being made; or
  • a new and unexpected use of existing data is being considered.

Is a DPIA the same as a privacy impact assessment (PIA)?

Some organisations already perform PIAs and so may wonder if they need to perform DPIAs.

Although the processes are similar, it is important to review your current processes to make sure that they comply with all the necessary requirements of a DPIA.

You do not need to perform a DPIA if the relevant risks and safeguards have already been considered, such as through a PIA. However, if there has been a significant change to the nature, scope, context or purposes of the processing since that assessment you must carry out a DPIA, especially if you are processing data in a way that is considered high risk.

How should a DPIA be carried out?

Ideally, a DPIA should be performed at the beginning of every project, before any data is collected or processed. The assessment can cover a group of similar operations or look at a single process, but it should include the following steps:

  1. Does the business need to carry out a DPIA for this project/process?
  2. Describe how the data will be gathered/processed – in particular, consider the nature, scope, context and purposes of the processing.
  3. Consider if external advice is needed to deal with the risk appropriately. For example, the data protection officer should be the first port of call, but any stakeholders in the project should also be consulted.
  4. Assess the necessity and proportionality of gathering/processing the data, this includes any issues of legal compliance that these actions bring up.
  5. Identify and assess risk of gathering/processing the data, especially if those risks affect individuals. To assess the level of risk, consider the likelihood and the severity of harm resulting from that risk. High risk events are not just those that cause serious harm but can be those which cause little harm individually and occur frequently.
  6. Identify any required measures to mitigate the identified risk.
  7. Sign off and record the outcomes of any decisions made.
  8. Integrate these outcomes into the overall business plan/objectives.
  9. Keep these outcomes under review so that they remain applicable.

The great thing about DPIA is that the process is both flexible and scalable; applicable to any project or process. For a good DPIA example, consult the European criteria for an acceptable DPIA.

Do the ICO need to be consulted?

If for any reason, a high-risk process is identified through a DPIA, and there can be no steps taken to mitigate that risk, the ICO must be notified. Businesses must not begin collecting/processing data until the ICO have been consulted.

The ICO will look through the evidence sent to them and provide advice as to whether the risks are acceptable or if further action is necessary (for example, if the processing in its current form would result in a breach of GDPR). In extreme cases the ICO may also issue a formal warning or prevent a business from carrying out the processing altogether.

Further information on DPIAs is available in the EU’s Guidelines on Data Protection Impact Assessment and the ICO’s Data protection impact assessments guide.