When and how to write a GDPR DPIA

The EU’s General Data Protection Regulation (GDPR) legislation isn’t meant to be a mere compliance checklist. Unlike some other data-related regulations, there isn’t a simple list of processes and technologies you can install to be compliant. And just because you were compliant on May 25, 2018, doesn’t mean you are still compliant now.

A primary way to both show and audit your own ongoing compliance efforts is through Data Protection Impact Assessments (DPIAs), which help you assess new processes involving personal data to show you have considered and mitigated potential risks that would lead to non-compliance with GDPR. However, these audits can be time-consuming. Companies should know when they need to conduct a DPIA and when they don’t, without the fear of non-compliance and the threat of fines.

What are Data Protection Impact Assessments?

DPIAs are a process to help organisations identify and minimize data protection risks of a project. The idea is to prevent potential data protection issues before they arise and reduce the risk of compliance. Organizations identify potential risks around the processing of personal data and then outline how they plan to mitigate those risks and reduce the potential negative impacts on EU citizen data.

Under GDPR, DPIAs are legally required in certain data processing situations. They are important for accountability and provide a record showing that organizations are considering the GDPR and the impact data processing will have on EU citizen data, and, in theory, helping instil a privacy by design mindset amongst organizations.

Companies that are used to conducting privacy impact assessments (PIAs), which have been used long before the GDPR, will likely find themselves in good stead around introducing DPIA processes. Organisations that haven’t previously had standard processes for making such assessments might find it difficult to know exactly when they are required to assess data risks.

When do you need to do a DPIA?

Under the GDPR, organizations are required to complete a DPIA for any processing that is likely to result in a “high risk” to the rights and freedoms of individuals. As with much of the GDPR, actual details on what can constitute high risk isn’t set in stone. Broadly speaking, high risk means anything involving large-scale processing, special categories of data, or profiling that can affect the person. However, the Information Commissioner’s Office (ICO) and other protection authorities have listed examples of types of data and processing that can potentially come under high risk and examples that may constitute needing a DPIA.

Such examples include processes that involve ‘extensive profiling with significant effects,” special category or criminal offence data on a large scale; or the monitoring of publicly accessible places on a large scale. The ICO also requires you to do a DPIA for processing involving biometric data, anything involving combining data sets from different sources, “invisible” processing such as online tracking, tracking individuals’ location or behaviour, profiling or marketing to children, and anything that could result in physical harm if that data was leaked. France’s CNIL authority has listed similar examples it says would require DPIAs to be conducted.

Processes that may involve denying access to services such as credit checks or mortgage  applications, or processes that include genetic data such as DNA testing, whistleblowing or complaint procedures, any type of tracking (broadly including loyalty schemes, wealth profiling, or even fitness or eye tracking), using biometrics for access control or identity verification for devices or services all are listed as examples where a DPIA would be needed. Processing of personal data involving ‘innovative technologies’ such as artificial intelligence/machine learning/deep learning, internet of things applications, connected or autonomous cars, or ‘neuro-measurement’ (i.e. brain technology) also would require DPIAs.

Failure to carry out a DPIA when required may leave you open to enforcement action, including a fine of up to €10 million or 2% global annual turnover if higher.

When don’t you need to do a DPIA?

The ICO has said that you do not need to do a DPIA if you have already done a substantially similar DPIA or are processing on the basis of legal obligation or public task. It also advises that you are not expected to do a DPIA for existing processes that have already been examined under previous risk or privacy impact assessment processes. However, if that process changes, a DPIA should be conducted. The ICO also recommends documenting reasoning for why DPIAs are not carried out to have a record if challenged in future.

While the ICO has not issued such a list, the Spanish regulator the Agencia Espanola Proteccion Datos (AEPD) recently released a white list of data processing scenarios that do not require a DPIA. These include;

• Processing data to comply with legal requirements or if the processing is ‘in the public interest’ or is being carried out via powers granted to the company via government officials.
• Processing carried out under previously established guidelines established or authorization through circulars or decisions from supervisory bodies (if the processing has not changed since it was authorized).
• Processing carried out under Commission-approved guidelines of codes of conduct bodies (as long as the processing has not changed since it was authorized).
• Processing carried out by self-employed personnel who work on an individual basis in the exercise of their professional duties including physicians, healthcare professionals, or lawyers.
• Processing carried out in relation to the internal (and not customer-related) administration of personnel working at small and midsize businesses for purposes such as accounting, human resources management, payroll management, social security, and safety in the workplace.
• Processing carried out by professional colleges and nonprofit associations in connection with the data of their associate members and donors around management of their personal data, and in the performance of their tasks.

How to write and process a DPIA

While how you do a DPIA is largely up to the organization, DPIA template forms are available on the ICO’s website, as well as other EU data protection authorities. Within a DPIA, organizations need to outline the project and its aims and detail the types of processing it will involve. This includes what data is being used (and whether it falls into any special categories listed in the GDPR legislation or local implementations such as the UK Data Protection Act), where and how it is collected, used, stored, and deleted, the purpose of the processing, and where the risks exist within those processes. You must then outline the measures your company will take to mitigate those risks.

Ideally DPIAs, as with risk assessment, should be done as early as possible within the lifecycle in the project. DPIAs should be done in conjunction with the data protection officer, the CISO, the teams working with the data and process, and potentially legal experts to help identify and mitigate risks to that data, wherever it may come from. The ICO says a good DPIA shows you have considered the risks related to your intended processing while considering your broader data protection obligations.

Once risks have been identified, companies need to detail ways they will be mitigated. Depending on the data, the purpose, and the risks involved, this could vary from reducing retention periods, anonymizing data, and updating privacy policies to implementing new security technologies, introducing more staff training, or even not collecting certain types of data. The ICO then suggests integrating those measures within project plans, identifying action points and those responsible for implementing them and monitoring the ongoing performance of the DPIA to ensure it is being adhered to.

Most DPIAs do not need to be sent to the ICO or other data protection authority. They are simply a process to record that you are making efforts to comply with the GDPR. While not a requirement, the ICO suggests companies should consider publishing their DPIAs to show compliance and garner trust among customers and partners. (Companies should be aware DPIAs may be made public through Freedom of Information Act [FOIA] requests).

However, if an assessment identifies a high risk and the organization cannot take measures to reduce that risk, a copy of that assessment form must be sent to the relevant data protection authority. The authority will then assess and inform you whether the risks are acceptable, or the organization should take further action to further reduce those risks. The authority may advise you not to carry out the processing as it would be in breach of the GDPR, issue a formal warning, or ban the processing altogether.

Note that an organization cannot begin that high risk processing until the authority has been consulted. Warnings remain on record, and there is no mechanism to appeal a warning. 

According to FOIA requests made against the ICO earlier in the year, it had received just 19 DPIAs for consultation in the eight months since GDPR came into force, and only two actually met the ICO criteria for needing consultation. Of those, the ICO issued one warning that processing would be a breach of GDPR, and the company in question amended the processing to the ICO’s satisfaction.