The ICO has recently published draft guidance relating to Data Protection Impact Assessments (DPIA) under the General Data Protection Regulation (GDPR) which can be found here (PDF download). It has been published for consultation, with the consultation period ending on 13 April 2018. The document is 44 pages long and sets out in detail guidance relating to DPIAs including what they are, when they are needed, the changes made by the GDPR, and how best to carry out a DPIA.
A DPIA is a process to help organisations identify and minimise the data protection risks of a project and must be undertaken for certain types of processing, or any processing likely to result in a high risk to individuals.
A DPIA must:
- Describe the nature, scope, context and purposes of the processing;
- Assess necessity, proportionality and compliance measures;
- Identify and assess risks to individuals; and
- Identify any additional measures to mitigate those risks
The GDPR introduces a new obligation to undertake a DPIA before carrying out types of processing likely to result in high risk to individuals’ interests. If a DPIA identifies a high risk that cannot be mitigated, you must contact the ICO. According to the draft guidance, the ICO could take up to 14 weeks to provide a response.
The following are some of the key changes, as set out in the draft guidance:
- DPIAs are mandatory for any processing likely to result in a high risk. Organisations will need to review their screening questions to make sure they comply with the new requirements.
- You must consider the impact on any of an individuals’ rights and freedoms, including (but not limited to) privacy rights.
- There are more specific requirements for the content of a DPIA.
Which activities require a DPIA?
The following types of processing automatically require a DPIA:
- Systematic and extensive profiling with significant effects
- Large scale use of sensitive data
- Public monitoring
As required by Article 35(4) of the GDPR, the ICO has also published a draft list of the sort of processing operations that area likely to be high risk and require a DPIA. This list is open for consultation and currently includes the following, which are set out in greater detail in the draft guidance. They are as follows:
- New Technologies
- Denial of service
- Large-scale profiling
- Biometrics
- Genetic data
- Data matching
- Invisible processing
- Tracking
- Targeting of children or other vulnerable individuals
- Risk of physical harm
The draft guidance recommends that organisations review their existing processes even where they already carry out privacy impact assessments (PIAs). Organisations looking to undertake DPIAs for the first time and those who are familiar with PIAs but are currently re-examining them should find this ICO draft guidance useful.
Beverley Flynn