A Data Protection Impact Assessment (DPIA) helps Data Controllers identify the most effective way to comply with their GDPR obligations and reduce the risks of harm to individuals through the misuse of their personal data. A well-managed DPIA will identify problems and allow them to be fixed at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur. DPIAs are also an important tool for accountability as they help Data Controllers to demonstrate that appropriate measures have been taken to ensure compliance with the Data Protection Principles.
Failure to conduct a DPIA, or failures in the process, can result in an administrative fine of up to 10 million Euros, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
A recent Norwegian case saw the data protection authority impose a fine of almost €47,000 on a town council in relation to its digital learning app. The Council communicated health-related information between school and home via the app, but insufficient security was put in place to avoid users accessing the personal data of others in their group. No risk assessment, DPIA or testing was undertaken before the application was rolled out. In May 2020, a company in Finland was fined €16,000 for failing to undertake a DPIA before processing the location data of its employees by tracking vehicles.
Of course there is also the reputation damage of not conducting a DPIA especially when it comes to large scale projects which rely on public confidence to ensure take up and success. The Government has been criticised recently after it admitted that it had failed to complete a DPIA for the Covid19 Track and Trace Programme.
Article 35 contains an obligation on Data Controllers to conduct a DPIA before carrying out personal data processing likely to result in a high risk to the rights and freedoms of individuals. If the DPIA identifies a high risk that cannot be mitigated, the Information Commissioner’s Office (ICO) must be consulted. Two documents are essential in understanding the concept of a DPIA, namely the Article 29 Working Party’s (A29WP, now the EDPB) data protection impact assessment guidelines and the ICO’s DPIA guidance.
Carrying out a DPIA is not mandatory for every personal data processing operation.
It is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)). Such processing, according to Article 35(3)), includes (but is not limited to):
- systematic and extensive evaluation of personal aspects relating to an individual which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significant effect the individual
- processing on a large scale of special categories of data or of personal data relating to criminal convictions or offences
- a systematic monitoring of a publically accessible area on a large scale
So what other cases will involve “high risk” processing that may require a DPIA?
The ICO’s DPIA guidance states that it requires a Data Controller to conduct a DPIA if it plans to:
- use new technologies;
- use profiling or special category data to decide on access to services;
- profile individuals on a large scale;
- process biometric data;
- process genetic data;
- match data or combine datasets from different sources;
- collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
- track individuals’ location or behaviour;
- profile children or target marketing or online services at them; or
- process data that might endanger the individual’s physical health or safety in the event of a security breach.
Who should conduct the DPIA?
A DPIA may be conducted by the Data Controller’s own staff or an external consultant.
Of course the Data Controller remains liable for ensuring it is done correctly. The Data Protection Officer’s advice, if one has been designated, must also be sought as well as the views (if appropriate) of Data Subjects or their representatives and Data Processors.
Act Now is using its expertise to help make the task of conducting a DPIA less daunting. We are supporting an exciting new public sector collaboration to co-design and develop a Digital DPIA which should make this task much easier. The final product will be available in the Autumn. Watch this space! We are also running a series of online workshops on How to do a DPIA.