The GDPR requires businesses to consider the principles of data protection in processing activities before they even commence, so utilising a data protection by design approach. There is nothing new here – the key change with GDPR is that it is now a legal requirement.
When an organisation processes (or plans to process) personal data that is likely to result in a high risk to the rights and freedoms of individuals, steps must be taken to ensure these risks are appropriately addressed and risks mitigated.
In this article, we look at what you need to know about high risk data management and your obligations under the GDPR and DPA 2018 if high-risk data is uncovered.
How data is managed has always been a critical consideration for business owners - with high risk data being particularly important to get under wraps. But what should a business do when high-risk data is uncovered?
The General Data Protection Regulation (GDPR) has brought about new rules around “high risk” data which clarify the issue to an extent. It divides risk into two categories - risk-as-continuum, risk-as-disjunctive – with the relevant one here being ‘risk-as-disjunctive’. This focuses on “risk” and “high risk”, which is important because there are specific obligations that come with “high risk” data management.
Before we continue, perhaps it’s best to define what data management is. It’s the process of acquiring, validating, storing, protecting, and processing data. With all types of data, organising and maintaining it is important but with “high risk” data the data management processes will be under closer scrutiny. And when it comes to “high risk”, we are referring to a high risk to individuals’ interests from processing.
1. Data Protection Impact Assessments
A Data Protection Impact Assessment (DPIA) is a process that helps you identify and minimise the risks if implementing a new data processing system or technology. It should be carried out in the development stage of the new project to ensure compliance risks and the rights of individuals are properly factored in from the start – this approach is called privacy by design.
If the processing activity is already in place, then the DPIA should be done retrospectively without further delay.
Under the GDPR, it must be done in all instances where processing is likely to result in a high risk to individuals – and it is the data controller who assumes the responsibility for ensuring this is conducted appropriately.
To assess the level of risk, you should consider both the likelihood and severity of any impact on individuals – the GDPR sets out the following examples of high-risk processing activities:
“Systematic and extensive evaluation of personal aspects … based on automated processing, including profiling, on which decisions are based that produce legal effects”
“Large-scale processing of sensitive personal data as well as criminal conviction and criminal offence data; and large-scale and systematic monitoring of a publicly accessible area.”
Here’s a handy step-by-step graphic of the DPIA lifecycle in a project:
Use these steps to design your plan. The ICO has published its own DPIA you can use as a template, or you can make your own. If you choose to make your own, keep in mind the EU has set out very specific guidelines on the criteria for an acceptable DPIA.
2. If you cannot mitigate risk, you must inform the ICO
If your DPIA identifies a risk you cannot mitigate, you must inform the Information Commissioner’s Office (ICO) to fulfil your accountability obligations. This is set out under the Data Protection Act 2018 which implements the GDPR. The ICO will consult with you at this point and give written advice as to whether the processing should take place or not.
Some confusion has arisen from misinformation online saying that in the event you cannot mitigate risk you must consult with the EU DPAs. This is not the case with British businesses, who must consult with the ICO before starting processing.
3. Security breach notification
Security and privacy breaches can happen anytime and in the event of a high-risk data breach, there is now a specific legal obligation on the controller to notify individuals of this without undue delay.
Under Article 34(1) of the GDPR, controllers have an obligation to notify individuals of a data breach in cases where such a breach “is likely to result in a high risk to the rights and freedoms” of those individuals. Should there be a delay in notification to these individuals, then the ICO will require an explanation, which could result in a higher tier penalty being imposed.
4. Risk level must be determined case-by-case
Perhaps the most important rule detailed under the GDPR that will influence your organisation’s approach to managing high risk is that the actual risk level of a project must be determined on a case-by-case basis.
This is the case even when high risk is only suspected, and even where the likelihood of high-risk data being uncovered is low.
This means each case must have a DPIA. Unsurprisingly, under the GDPR “using new technologies” is now listed as a possible circumstance of “high risk” and this means emerging and new technologies on which data is collected could be subject to a DPIA. A good example would the development of a new app for a consumer-facing brand. This new app may not offer a sufficient level of protection for the category of personal data that it processes. A DPIA would identify this and flag the concern in the development phase, allowing it to be addressed early on.
However, even where possible high-risk data is uncovered, intense investigation is necessary to truly determine the risk profile. Data is perfectly capable of being downgraded to “normal risk” which brings with it less scrutiny.
5. Assigning a DPO is now mandatory (in some cases)
If your organisation’s core activities require the regular and systematic monitoring of individuals on a large scale, then you are now legally required to appoint a data protection officer (DPO). All public authorities must appoint a DPO irrespective of the above, with the only exception being courts acting in a judicial capacity.
If your business will handle high-risk data or engages in activities that may result in high risk to individuals’ interests, a DPO will see that your data management processes meet the minimum requirements as set out by the GDPR.
A DPO is there to assist your business in complying with the Data Protection Act 2018 and the GDPR. They can inform and advise you on your obligations and provide advice in the case of high-risk data being processed. They monitor compliance with data protection laws and when carrying out a DPIA, they will monitor the process. It’s important to note, however, that in the context of DPIAs, the DPO is not required to carry them out nor are they responsible for them. Instead, risk assessments should be delegated.
The more complex or high-risk your data activities are, the more valuable a DPO becomes, so it is imperative they have a good understanding of European data protection guidelines and are able to apply these to the daily operation of the business.