DPIAs are Data Protection Impact Assessments – these assessments are required for all organisations doing high risk processing.
DPIAs could also be seen as a tool for accountability and could be used in other situations as well: conducting a DPIA should help ensure you are compliant (at the outset) and help you to demonstrate compliance at a later date.
When is a DPIA required?
Businesses will be required to perform data protection impact assessments before carrying any processing that uses new technologies (and taking into account the nature, scope, context and purposes of the processing) that is likely to result in a high risk to data subjects, takes place.
In particular, DPIAs will be required for:
- Any systematic and extensive evaluation of personal aspects by automated processing, including profiling, and on which decisions are based that produce legal effects concerning the data subject or significantly affect the data subject.
- Processing of special categories of personal data or data relating to criminal convictions and offences on a large scale.
- A systematic monitoring of a publicly accessible area on a large scale.
The recommendation is that, if in doubt, carry one out.
GDPR includes a list of occasions when DPIAs are required: employee monitoring should be subject to a DPIA – because this involves systematic monitoring and a vulnerable group. Trawling data from public profiles would also trigger a DPIA – because this is evaluation or scorning and on a large scale.
In the UK, the ICO will be able to issue guidance on occasions when DPIAs are, or are not, required.
What do I need to do before May 2018?
The recommendations are that DPIAs are only required for processing started after GDPR comes into force – 25 May 2018. However, a similar review would have to be carried out for existing processing if there is a change in risk.
Carrying out the DPIA
Timing: a DPIA should be carried out at an early enough stage in a project so that any suggested changes can be made. This may mean a need to re-assess later on. Recommendations are that DPIAs should both be carried out continuously and re-assessed at least every three years or perhaps sooner, if circumstances required.
Who is responsible: the organisation who collects and uses the personal information for its own purposes (‘data controller’) is ultimately responsible, although it could seek external assistance. An organisation who is working for the data controller, using the personal information (‘data processor’) may be required to help, if it is largely responsible for the processing. Remember too that, if you have a Data Protection Officer, that person must be involved and must monitor performance of the DPIA. ‘Where appropriate’ the data controller should seek the views of individuals whose data is being processed (e.g. via a survey or study).
Do also involve others if they are a relevant stakeholder (e.g. business unit responsible for the processing); and/or relevant expert (e.g lawyer, security expert).