If your processing activities could uncover high-risk data, the GDPR requires you to carry out a privacy impact assessment. It is also good practice in some cases to carry out an assessment, irrespective of data risk category, to demonstrate accountability. In this article, we discuss the challenges to doing so.

The EU’s General Data Protection Regulation (GDPR) requires organisations to build data protection ‘by design and by default’ into every level of their business. One of the mechanisms toward compliance is carrying out a privacy impact assessment (PIA) which the controller must conduct before starting data processing, as set out by Article 35, if high-risk data may be uncovered.

You may know privacy impact assessments by another name – data protection impact assessments (DPIAs). These are one in the same, so you can consider blurb covering one or the other from reputable sources relevant.

The key challenges organisations face with PIAs is knowing when they are necessary, who should do them, and what they should include. We’ll cover these challenges in detail below to help you get started with your own assessments.

What is a PIA?

This is a mechanism for minimising the data protection risks of a project before the processing of data. The process itself helps an organisation analyse, identify and minimise the data protection risks of a project.

When is a PIA mandatory?

There is a general rule that carrying out a PIA is mandatory wherever processing may result in high risk data being uncovered. High risk data is data considered to pose a “high risk to the rights and freedoms of natural persons.” In other words, data subjects.

Article 35 of the GDPR lists the following cases as particularly necessary for a PIA:

  • A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
  • The processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
  • A systematic monitoring of a publicly accessible area on a large scale. For example, surveillance of public areas, RFID tracking.

If there is any doubt surrounding what data may be uncovered, a PIA should be carried out nevertheless to demonstrate accountability. Accountability is one of the seven principles of the GDPR. Compliance with it requires your organisation to be able to demonstrate that you comply with the other principles and rules of the GDPR.

The Information Commissioner’s Office (ICO) sets out additional, specific requirements for mandatory PIAs, requiring you to carry one out if you:

Use new technologies;

  • Use profiling or special category data to decide on access to services;
  • Profile individuals on a large scale;
  • Process biometric data;
  • Process genetic data;
  • Match data or combine datasets from different sources;
  • Collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
  • Track individuals’ location or behaviour;
  • Profile children or target marketing or online services at them; or
  • Process data that might endanger the individual’s physical health or safety in the event of a security breach.

If any of the above apply to your processing activities, a PIA is mandatory.

Who should carry out a PIA?

The controller is legally responsible for carrying out the PIA, not the processor, and the controller must carry out the assessment “prior to processing”.  Data should not be passed onto the processor until this obligation is fulfilled.

Regarding the department or person who should carry out a PIA, this does not matter, so long as it is carried out properly, and so responsibility for carrying out your PIAs should be delegated to an appropriate person. What constitutes a ‘proper’ assessment can be found below. If you appoint a data protection officer (DPO) to your organisation note that they are not responsible for carrying them out, but they can assist you in doing so.

What should a PIA include?

The GDPR lists the following includes for a PIA:

For many of you, the above is probably not very helpful in figuring out exactly what your PIAs should include. So, here’s some more insight:

  • Your PIA must specify the types of data;
  • Your PIA must describe the nature, scope, context and purposes of processing data;
  • Your PIA must identify and assess the risks to individuals;
  • Your PIA must identify appropriate measures to mitigate those risks.

It’s important to remember that you must record your PIA process and outcome. PIAs should be carried out at the early stages of a project so as to satisfy the ‘by design and by default’ criteria set by the GDPR. If you uncover high-risk data during processing and you did not carry out a PIA, you should stop processing the data and carry one out.

The ICO has a PIA template you can use to get started with your own. You can use this outright if it’s relevant to your activities.

Additional PIA challenges under the GDPR

By now, you should have a pretty clear idea as to if your organisation will need to carry out PIAs for its processing activities.

If the answer is yes, you are required to do so, something to keep in mind is your relationship with the ICO. They require you to consult with them if your PIA identifies high risk data and you cannot mitigate that risk.

In this case, you would not be able to legally process the data until you consulted the ICO, and afterwards only if they deemed the risks acceptable so as to enable the processing to go ahead. If they do not deem the risks acceptable, they may advise you to take action, or issue a formal warning or take action to ban the processing altogether.

Lastly, there is the challenge of transparency with these assessments since they happen ‘behind closed doors’. Although there is no legal requirement to do so, public-facing organisations should seriously consider the benefits of publishing their PIAs. Doing so can help engender trust and confidence in the organisation. If you choose to go public, be sure to remove any sensitive information before publication.

Andy Chesterman