DPIA Impact Assessment

DPIA Impact Assessment - Straightforward, and Stress-free

You may have questions and concerns about performing a DPIA Assessment (or GDPR impact assessment). GDPR may seem like a minefield for business owners who want to demonstrate compliance yet worry about the correct (and legal) way to process personal data.

These assessments can appear to be time consuming, complex, and fraught with difficulties. If you are feeling confused or concerned about DPIA or GDPR then let us help make it easy, straightforward, and stress-free for you.

In a nutshell - what is a DPIA?

A DPIA is basically a risk assessment relating to processing personal data. Not only is it a good idea to identify and minimise these risks, but it is also a legal requirement. DPIA stands for Data Protection Impact Assessment. It can sometimes also be known as a PIA or Privacy Impact Assessment.

DPIAs help data controllers to comply with GDPR requirements and to demonstrate that compliance. A DPIA must be carried out before certain types of data processing.

What are the benefits of a DPIA?

Although a DPIA can sometimes be legally necessary, a regular privacy impact assessment can also be a useful tool for identifying and minimising GDPR risks. It also shows your willingness to display compliance and accountability which builds trust and boosts the reputation of your business.

It is useful to think of a DPIA as more of an ongoing process than a one-off event. It is important for controllers to continually assess whether their data processing creates a risk to the rights and freedoms of the data subjects.

What happens if you fail to perform a DPIA?

Not performing a DPIA when you need to can result in a heavy fine. If your data processing is subject to data protection impact assessment, then you must complete a DPIA.

Failure to conduct the DPIA in the correct manner, or failure to contact the ICO when required can also result in serious enforcement action from the ICO, or other EU Supervisory Authority.

Under current regulations, you could incur a fine of up to £8.7 million, or 2% of your annual turnover (whichever is higher).

Is a DPIA necessary for your business?

Primarily, you should assess whether a GDPR privacy impact assessment (or DPIA) is necessary for your business.

The first thing to ascertain is the level of risk created by your data processing. If it is likely that there is a high risk to individuals, then you will need to perform a DPIA.

UK GDPR states that you will need to perform a DPIA if you are going to:

• Process criminal offence data

• Monitor a public place

• Process genetic or biometric data

• Conduct or use profiling data

• Conduct ‘invisible processing’ (collect data without providing a privacy notice)

• Process data which may pose safety or health risks to an individual

• Profile children or direct marketing towards children

• Track the behaviour or location of individuals

• Use new data processing technology or systems

Any major projects which involve processing personal data, or any large-scale monitoring or profiling, will most likely require a DPIA.

Contact us today and we can begin working immediately to ensure your system is legal.

Assessing levels of risk to individuals

Before processing data, you should consider the probability (and severity) of any potential risk to individuals. If you identify high levels of risk and a likelihood of harmful consequences to individuals, then you must act to mitigate that risk in every way that you can. If you are unable to mitigate the risk, then you will need to contact the ICO before you begin processing the data. The ICO will provide written advice within 8-14 weeks (depending on the complexity of the case).

Processing personal data - The 6 lawful bases

You must have a lawful basis in order to process personal data. There are 6 bases, or legal reasons, that justify processing personal data:

• Legal obligation - you need to process the data as part of a legal obligation

• Public duties - the data processing is in the public interest, or for official reasons

• Consent - the data subject has given consent for their data to be used

• Vital interests - the data processing is necessary to protect an individual’s life

• Legitimate interests - processing is required for legitimate reasons and is not overridden by the need to protect the individual’s data

• Contract - processing is needed to fulfil a legal contract with the individual

What does a DPIA involve?

There are several important steps you will need to follow when performing a thorough data protection impact assessment:

• Carry out a review to see if you need a full DPIA

• Describe the purpose and scope of your data processing project

• Consider consulting with experts and interested parties

• Establish that you need to process the data and can remain compliant

• Identify any potential risks

• Have a plan to mitigate risk and protect individuals

• Create a report describing your conclusions and considerations

• Keep track of your actions to ensure against function creep

The DPIA should be undertaken before you begin processing data and should continue through the planning and execution of your data processing project.

Taking a risk-based approach to data protection

Considering the serious consequences of a data breach, taking a risk-based approach to data protection is a logical precaution. If your business collects, controls or processes data relating to individuals then it is important to understand your legal obligations and take whatever actions are appropriate.

Performing a DPIA will help ensure that your security measures are efficient and effective. It also means that you won’t waste time and resources on threats that are very unlikely to occur or would have a low negative effect on the individuals involved.

By conducting a DPIA in the initial stages of a project you can identify and address potential problems as early as possible. Taking a pre-emptive approach will have several benefits:

• Problems can be identified before you begin processing

• You can create a plan to address any potential problems

• It is usually cheaper and easier to deal with issues at an early stage of a project - rather than changing your processing system later on

• GDPR awareness will be increased within your business

• You will be far less likely to breach data regulations

Is conducting a DPIA mandatory?

A DPIA is not a mandatory requirement in every processing project but is dependent on the circumstances and the type of processing involved.

A DPIA is mandatory when data processing is likely to result in a high risk to the rights and freedoms of individuals.

Individuals have the right to data protection and privacy, and controllers have an obligation to ensure those rights are protected, and to comply with GDPR.

If your data processing is likely to endanger the rights of the data subjects, then a DPIA is required by law.

If it is not clear if a DPIA is required or not, then it is recommended that one is carried out anyway. A DPIA is a good way to demonstrate your legal compliance with GDPR.

DPIA and new technology

Conducting a DPIA is particularly relevant when new data processing methods or technology are being used. Using new technological systems or innovative solutions may create a risk to the rights of individuals and should be accurately assessed before implementation. This could include such things as fingerprint or facial recognition technology, fitness apps and similar software applications. Any novel ways of collecting or using data can trigger the need for a DPIA.

DPIA and large-scale processing

Although not clearly defined, processing on a large scale may mean the number of data subjects, the size of the portion of the population, the geographical extent as well as the volume of data being processed, and the duration of the processing. Large processing operations may present large scale risk and require a DPIA to assess.

DPIA and systematic monitoring

Monitoring systems pose a particular threat as individuals may not be aware that they are being monitored, or be able to avoid being monitored, for example CCTV cameras in public places. The data collected, held, and processed may risk the rights of subjects. Social media data gathered for generating a profile, camera monitoring of employees, and internet activity are all examples of systemic monitoring. A DPIA will help assess and mitigate any risk.

DPIA and vulnerable data subjects

Vulnerable subjects could mean the elderly, children, asylum seekers, employees, individuals with mental illness, hospital patients etc. In these cases, there may be a power imbalance between the data controller and the data subject. The subject may not be capable of knowingly consenting to (or opposing) the processing of their personal information. A DPIA is required due to the inherent high risk in these circumstances.

DPIA and sensitive data

Sensitive or personal data may include medical or criminal records, financial data, location details, private communications such as emails, and more. Any personal data that is collected poses a risk to the data subject so a DPIA may be necessary to assess the data collection and usage.

When is a DPIA not necessary?

There are circumstances where a DPIA may not be needed. A publication which uses a mailing list to send a generic message to subscribers is not likely to require a DPIA. Similarly, a website which uses limited profiling to display adverts, based on a subject’s purchasing or browsing on its own website, would not trigger a DPIA. In such cases, the data controller should consult with the data protection officer and record the reasons for not carrying out a DPIA.

In summary

A DPIA is an invaluable process to assess and manage risks to the rights and freedoms of data subjects (individuals). The purpose of the DPIA is to identify potential risks and enable controllers to find ways to mitigate the risks. A DPIA helps controllers to be compliant with GDPR and to demonstrate legal compliance.

What to do next:

• Please contact us now and let us remove the stress of managing data compliance in your business.  

• We handle the complete scope of any data privacy impact requirement

How much will this cost?

A DPIA can vary depending on the size and scale of the project or processing activity.  

A minor DPIA can take as little as a 2-3 days, which includes the time we spend auditing and learning the data flows in the environment, ahead of drafting the document.  

A significant DPIA can take several months of drafting, analysis of the results, then re-drafting to address any undue risks.  Where special category data is involved, or there is a potential risk to the rights and freedoms of the data subject, you will need to engage and liaise with the appropriate Supervisory Authority (UK ICO) at all stages. 

Our standard fees are £125 per hour, per Privacy Consultant. If our Senior Global Privacy Consultants are required for the more complex engagements, fees are £1,250 per day.  

Why choose us?

Click here to find out why we are the UK’s #1 privacy consultancy.