Outside glass view of RPC building.

ICO updates its guidance on data protection impact assessments

Published on 08 April 2019

When should a data controller conduct a Data Protection Impact Assessment (DPIA)?

The background

Article 35(1) of the GDPR states that data controllers must undertake a DPIA where a type of processing “is likely to result in a high risk to the rights and freedoms of natural persons”.  If a high risk is identified, and cannot be mitigated, then the Information Commissioner’s Office (ICO) must be formerly consulted before processing can proceed.

In April 2017, the Article 29 Data Protection Working Party adopted a set of guidelines on DPIAs (the Guidelines).  These identified a set of criteria to indicate mandatory circumstances when a DPIA would be required.  The criteria included the use of sensitive or highly personal data, large scale data processing and the innovative use of new technologies.  Where two, or more, criteria are met during data processing, the Guidelines stipulate that a data controller must undertake a DPIA.  However, a DPIA may also be required where only one criterion is met. 

Under the GDPR, national supervisory authorities such as the ICO are required to publically list the types of processing which they consider fall within the remit of Article 35(1) GDPR.  Such publications are subject to the “consistency mechanism” provided for in Article 63 GDPR, which kicks in where data subjects across a number of Member States would be substantially affected by data processing.  This mechanism allows the European Data Protection Board (EDPB) to harmonise guidance provided by supervisory authorities on the types of processing “likely to result in a high risk”. 

Following the ICO issuing draft guidance on DPIAs last spring, the EDPB requested that a number of changes be made in an Opinion (22/2018) published in September 2018.

The development

The ICO has now published its revised guidance, which includes an amended list of examples of data processing “likely to result in a high risk”.  In accordance with the EDPB’s comments, the amended list makes it clear where certain types of processing will only be caught when they occur alongside another criterion from the Guidelines. 

The processing operations which will only warrant a DPIA when combined with another criterion include:

  • those involving the innovative use of technologies, including the processing of new technologies
  • instances where biometric data is used to uniquely identify an individual
  • where “invisible processing” is being undertaken on personal data which has not been obtained directly from an individual
  • the tracking of an individual’s geolocation or behaviour, both physically and online.

Why is this important?

DPIAs are a fundamental element of the data protection regime established by the GDPR.  They have been identified by the ICO as a key part of the new focus on accountability and data protection by both design and default.  Their increasing prominence reflects the more risks-based approach which needs to be taken to comply with the GDPR. 

Previously, the ICO had always stated that a privacy impact assessment, the DPIAs predecessor, was always necessary where processing operations involved the use of new technologies.  By acceding to the EDPB’s requests, and making a DPIA conditional on there being multiple criteria in play, the ICO’s policy has shifted.  

Any practical tips?

Despite this policy shift, the ICO’s key message remains the same.  It is best practice for DPIAs to be completed whether or not data processing “is likely to result in a high risk”.  Accordingly, data controllers should be slow to discount the need for a DPIA even in circumstances where only one criterion is met.