Data protection impact assessments (DPIAs) are a new, but in some ways familiar, feature in the data protection landscape. As 'privacy impact assessments', or PIAs, they have existed in various guises around the world since the 1980s. In the UK, the first country in Europe to develop a PIA methodology, the ICO first published a PIA Handbook over ten years ago, in December 2007.
What is new is that Article 35 of the GDPR makes it mandatory for controllers to carry out a DPIA before undertaking risky processing. To be precise, before undertaking processing, in particular using new technologies, which is 'likely to result in a high risk to the rights and freedoms of individuals.' PIAs were good practice but now failure to adequately conduct a mandatory DPIA could result in an administrative fine.
A DPIA is a process to ensure that organisations identify, assess, and evaluate the risks to data subjects from projects or data processing activities. The rationale is that identified risks can then be avoided, mitigated, or accepted.
Types of processing likely to result in a high risk
Article 35(3) of the GDPR provides a non-exhaustive list of cases in which processing is 'likely to result in a high risk':
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person (see also recital 71);
- processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10 (see also recital 75); or
- a systematic monitoring of a publicly accessible area on a large scale.
The ICO, as required by the GDPR, has also published a list of the types of processing that require a DPIA.
Furthermore, the European Data Protection Board (EDPB) has endorsed guidance on DPIAs issued by from its predecessor body the Article 29 Working Party (WP29): DPIAs and determining whether processing is "likely to result in a high risk". This identifies nine criteria that might indicate high risk and suggests that, 'as a rule of thumb', processing operations that meet two or more will require a DPIA.
The EDPB endorsed guidance also explores the meaning of 'large scale'. This term is not defined in the GDPR beyond the observation in Recital 91 that ‘the processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer. In determining what does constitute 'large scale', the WP29 guidance suggests having regard to:
- the number of data subjects concerned, either absolutely or proportionately to the relevant population
- the volume of data and/or range of different data items to be processed;
- the duration or permanence of the data processing activity; and,
- the proposed activity’s geographic extent.
A DPIA is not legally required:
- where a processing is not 'likely to result in a high risk to the rights and freedoms of natural persons';
- in relation to a processing, which is by its nature, scope, context and purpose is very similar to the processing for which a DPIA has been carried out; or
- where a particular processing is exempt under EU or UK law from a DPIA.
Also processing operations, which existed before 25th May 2018 do not require a DPIA, as the requirements apply to processing operations initiated after the GDPR had come into force. However, where significant changes take place to such pre-existing processing, e.g. because of using a new technology or using personal data for new purposes, such changes might be regarded as a new data processing operation and could require a DPIA.
What does a DPIA include?
Article 35(7) identifies four features that DPIAs must contain for them to be sufficiently comprehensive. These are:
- A systematic description of the processing proposed, its purposes, and, if applicable, the legitimate interest pursued by the data controller
- Assessment of the necessity and proportionality of the envisaged processing operations in relation to the purposes
- An assessment of the risks to the rights and freedoms of data subjects
- Planned measures to address the risks
What are the steps in undertaking a DPIA?
We recommend you consult the ICO’s guidance on DPIAs. The ICO identifies six steps in the process, and recommends organisations consult with internal and external stakeholders as needed as part of the process.
Importantly, the ICO also suggests that organisations integrate the DPIA process into their project and risk management procedures as the most effective way of ensuring that sector and firm specific issues are covered.
Law firms vary in the technologies they employ to manage personal data, and different firms may interpret the risks to data subjects from new technologies. Even if a mandatory DPIA is not required the ICO advises that it may be good practice to carry one out. It is almost certainly good practice in the early stages of any IT transformation project to consider whether or not a DPIA might be required, to document this, and to review your conclusions as the project develops. In practice, for most law firms, awareness of DPIAs will be an essential part of GDPR compliance. But carrying out a full-blown, mandatory, DPIA is likely to be rare.
If your firm has a Data Protection Officer (DPO) their advice must be sought in relation to a DPIA and the decisions taken appropriately documented as part of the DPIA process. The DPO is responsible for monitoring the performance of the DPIA. If the processing in question is performed in whole or in part by a data processer working on your behalf, you should require the processer to assist you in carrying out the DPIA, including, for example, by providing necessary information. As controller, however, you remain ultimately responsible and accountable for the DPIA. We recommend that you include appropriate provisions in your data processing agreements to ensure that you have all necessary assistance and cooperation from your processers in relation to any DPIAs you need or wish to undertake.
In carrying out a DPIA you should, in appropriate circumstances, seek the views of data subjects or their representatives (Article 35 (9)). Depending on the issues arising from the envisaged processing operation, you may also wish to seek advice from independent experts and engage with and seek input from other relevant stakeholders.
Where you determine that an identified risk to the rights and freedoms of data subjects cannot be sufficiently addressed by you, you must consult the ICO, providing a copy of your DPIA.
Although it is not a legal requirement, it is good practice to publish your DPIA either in full or in summary form.
Finally, a DPIA is not a 'one-off' exercise, and requires on-going monitoring and review to ensure that new risks are proactively identified and addressed, and that new circumstances are taken into account to ensure on-going compliance. The Article 29 Working Party recommends all DPIAs are monitored on an on-going basis and re-assessed at least every three years.
The DPIA process is outlined in checklist 10 of the our 'Preparing for the General Data Protection Regulation: A guide for law firms' and you can find the ICO's extensive DPIA guide, awareness checklist and template online.