Data Protection Impact Assessment

Guidance for staff on carrying out a data protection impact assessment (DPIA)

A DPIA s:

• A tool/process to assist organisations in identifying and minimising the privacy risks of new projects, systems or policies

• A type of impact assessment conducted by an organisation, auditing its own processes to see how these processes affect or might compromise the privacy of the individuals whose data it holds, collects, or processes

• A tool/process to assist organisations in ensuring that all activities involving personal data are proportionate and necessary

A Data Protection Impact Assessment (DPIA) is designed to accomplish three goals:

• Ensure compliance with applicable legal, regulatory, and policy requirements for privacy;

• Determine the risks and effects; and

• Evaluate protections and alternative processes to mitigate potential privacy risks.

When do I need to carry out a DPIA?

When you plan to:

• Embark on a new project involving the collection of personal data;

• Introduce new IT systems for storing and accessing personal information;

• Participate in a new data-sharing initiative with other organisations;

• Initiate actions based on a policy of identifying particular demographics;

• Use existing data for a “new and unexpected or more intrusive purpose”;

• Review or audit an existing system or activity.

Purpose

Since PIA concerns an organization's ability to keep private information safe, the PIA should be completed whenever said organization is in possession of the personal information on its employees, clients, customers and business contacts etc. Although legal definitions vary, personal information typically includes a person's: name, age, telephone number, email address, sex, health information. A PIA should also be conducted whenever the organization possesses information that is otherwise sensitive, or if the security controls systems protecting private or sensitive information security policy for small business are undergoing changes that could lead to privacy incidents.

Benefits

According to a presentation at the International Association of Privacy Professionals Congress, a PIA has the following benefits:

• Provides an early warning system - a way to detect privacy problems, build safeguards before, not after, heavy investment, and to fix privacy problems sooner rather than later

• Avoids costly or embarrassing privacy mistakes

• Provides evidence that an organization attempted to prevent privacy risks (reduce liability, negative publicity, damage to reputation)

• Enhances informed decision-making

• Helps the organization gain the public's trust and confidence

• Demonstrates to employees, contractors, customers, citizens that the organization takes privacy seriously

Implementation

PIAs involve a simple process:

1. Project Initiation: define the scope of the PIA process (which varies by organization and project). If the project is in its early stages, the organization may choose to do a Preliminary PIA, and then complete a full PIA once it is fully under way.

2. Data Flow Analysis: mapping out how the proposed business process handles personal information, identifying clusters of personal information, and creating a diagram of how the personal information flows through the organization as a result of the business activities in question.

3. Privacy Analysis: personnel involved with the movement of personal information may complete privacy analysis questionnaires, followed by reviews, interviews and discussions of the privacy issues and implications.

4. Privacy Impact Assessment Report: the privacy risks and potential implications are documented, as well as a discussion of possible efforts that could be made in order to mitigate or remedy the risks.

GDPR

GDPR Policy Template rules were incorporated into UK law by the Data Protection Act 2018 to provide a framework for considering workers’ views when new data processes are introduced. The rules provide scope to:

• check if an employer is fulfilling their obligations under the law

• ensure that the union is appropriately informed and involved as representative of its members

• provide visible evidence on what data is being collected, how and why.

This is our data

The systematic collection of workers’ data presents an inherent high-risk to individual employees as it could affect or impact on the employment relationship. This could include the risks of:

• loss of data or poor security in how employers collect, store and use the data

• damage to workers standing or reputation

• material damage through decisions made using the data, such as promotion opportunities, pay or performance management

• discrimination based on decisions made using the eu representative .

Prospect has worked with a number of data and privacy specialists to produce our DPIA guide for union representatives.

Commenting on the guide, Anna Thomas, from the Institute for the Future of Work, said:

“It is hugely important that workers have access and control over their personal data, especially when it is collected at work and used to determine fundamental terms and conditions of work. Implementing data rights and processing safeguards under the Data Protection Act is a key step to achieve this goal.

“We are proud to have supported this excellent, practical guide for all UK Unions, in parallel with our recommendations for boosted individual and collective rights in the future.”

This guide is to help representatives ensure that meaningful consultation happens on a regular basis.