ICO draft guidance: Data Protection Impact Assessments

When and how should a data controller conduct a Data Protection Impact Assessment (DPIA) under the GDPR?

The background

DPIAs are a tool for data controllers to build and demonstrate compliance with the GDPR. The process is designed to encourage organisations to describe and audit their processing activity, consider its proportionality, and balance its necessity against the risks to the rights and freedoms of their data subjects.

Under the GDPR, conducting a DPIA is compulsory in certain circumstances (prior to GDPR, privacy impact assessments were best practice). In brief, an organisation should conduct a DPIA before beginning any type of processing that is “likely to result in a high risk”.

The development

The Information Commissioner's Office (ICO) has released specific guidance for UK organisations on what DPIAs are, when they need to be carried out, how to carry them out and when to consult with the ICO. The guidance is in draft form and was open to consultation (now closed). Once published, the guidance will replace the ICO’s previous Code of Practice on conducting privacy impact assessments.

When should a DPIA be conducted?

The guidance sets out and comments on the three instances in Article 35(3) GDPR when organisations must carry out a DPIA:

1. using systematic and extensive profiling with significant effects;
2. processing special category or criminal offence data on a large scale; or,
3. systematically monitoring publicly accessible places on a large scale.

The ICO says that in this context “extensive” implies that the processing covers a large area, involves a wide range of data or affects a large number of individuals. There will be a “significant” effect where the processing has “a noticeable impact on an individual and can affect their circumstances, behaviour or choices in a significant way”. Whether processing is large scale will depend on a number of factors, including the number of individuals concerned, the volume and variety of the data, and the duration and geographical extent of the processing.

The ICO lists the following types of processing as those it considers likely to be high risk, and therefore requiring a DPIA:

• the use of new technologies – this includes the novel application of existing technologies;
• the use of profiling or special category data to decide on access to services;
• profiling individuals on a large scale;
• processing biometric data;
• processing genetic data;
• matching data or combining datasets from different sources;
• collecting personal data from a source other than the individual without providing them with a privacy notice (“invisible processing”); or
• tracking individuals’ location or behaviour.

The ICO also refers to the nine criteria identified by the WP29 in its October 2017 guidance, which may act as indicators of likely high risk processing. In brief, an organisation's processing is likely to result in a high risk to data subjects if it involves:

• evaluation or scoring (including profiling and predicting);
• automated decision making with legal or similar significant effect;
• systematic monitoring;
• processing sensitive data or data of a highly personal nature;
• data processed on a large scale;
• matching or combining data sets;
• data concerning vulnerable data subjects;
• innovative use or new technological or organisational solutions; or
• barriers preventing data subjects from exercising a right or using a service or contract.

As a rule of thumb, the WP29 considers that a processing activity meeting two (or more) of the above criteria will require a DPIA.

The guidance says that to assess the risk of processing, organisations should consider the potential impact on individuals and any harm or damage that might be caused, whether physical, emotional or material. As to whether the risk is high, organisations should consider the likelihood and severity of the possible harm. Note that a significant possibility of very serious harm may be enough to qualify as a high risk. Equally, a high probability of widespread, but more minor, harm might still count as high risk.

In the ICO’s view, even if there is no specific indication of likely high risk, it is “good practice to do a DPIA for any major new project involving the use of personal data”. The ICO’s draft guidance also says that organisations should “think carefully” about doing a DPIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals.

How should a DPIA be conducted?

The guidance explains that a DPIA should begin early in the life of a project, before processing starts, and should run alongside the planning and development process. It should include the following steps:

• identify the need for a DPIA;
• describe the processing;
• consider consultation with the ICO;
• assess necessity and proportionality;
• identify and assess risks;
• identify measures to mitigate risk;
• sign off and record outcomes;
• integrate outcomes into a plan; and,
• keep the DPIA under review.

The guidance states that it is important to embed DPIAs into organisational processes. A DPIA is not a one-off exercise and should be seen as an ongoing process that is reviewed regularly.

Organisations do not need to send every DPIA to the ICO, but the ICO must be consulted if the DPIA identifies a high risk and the organisation cannot take measures to reduce that risk. Processing cannot begin until the ICO has been consulted.

Finally, the ICO notes that a DPIA is not always required, including where the processing is done on the basis of a legal obligation or public task or where a substantially similar DPIA has already been carried. However, “you need to be confident that you can demonstrate that the nature, scope, context and purposes of the processing are all similar”.

Why is this important?

Non-compliance with DPIA requirements under the GDPR (ie, failure to carry out a DPIA when mandatory, carrying out a DPIA incorrectly, or failing to consult the relevant supervisory authority) can result in fines of up to €10m or 2% of total worldwide annual turnover, whichever is higher.  And remember that a DPIA-level fine would be additional to the higher level fines (€20m or 4% of global turnover) which could follow the identification of other breaches under the GDPR (i.e. for the underlying cause of a breach itself).

A DPIA can also be a vital piece in documenting processing activities, that will allow an organisation to systematically describe and analyse its intended processing, helping to identify and minimise data protection risks at an early stage. This was reiterated in an ICO blog piece dated 26 March by Ian Deasha, Information Rights Regulatory Development Group Manager. He added that an effective DPIA “could have real benefits down the line in ensuring compliance, building external trust and avoiding the possible reputational and financial implications of enforcement action following a breach”.

Any practical tips?

The good news is that, according to the ICO, if you have experience of DPIAs, the new GDPR process will be very familiar.  Data controllers should take note of the criteria and steps outlined by the ICO, and build them into the design of its DPIA process. In case of any doubt, the favoured option should be to conduct a DPIA – as ever, when dealing with GDPR compliance, it is better to be safe than sorry and no one will blame you for stress-testing a new data activity with the threat of GDPR-level fines looming overhead. The DPIA might also assist in showing compliance if there are any problems going forward as, in theory, it should provide a systematic record of the assessment and minimisation of the risks.