A Data Protection Impact Assessment (DPIA) helps Data Controllers identify the most effective way to comply with their GDPR obligations and reduce the risks of harm to individuals through the misuse of their personal data. A well-managed DPIA will identify problems and allow them to be fixed at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur. DPIAs are also an important tool for accountability as they help Data Controllers to demonstrate that appropriate measures have been taken to ensure compliance with the Data Protection Principles.
Consequnces
Failure to conduct a DPIA, or failures in the process, can result in an administrative fine of up to 10 million Euros, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
A recent Norwegian case saw the data protection authority impose a fine of almost €47,000 on a town council in relation to its digital learning app. The Council communicated health-related information between school and home via the app, but insufficient security was put in place to avoid users accessing the personal data of others in their group. No risk assessment, DPIA or testing was undertaken before the application was rolled out. In May 2020, a company in Finland was fined €16,000 for failing to undertake a DPIA before processing the location data of its employees by tracking vehicles.
Of course there is also the reputation damage of not conducting a DPIA especially when it comes to large scale projects which rely on public confidence to ensure take up and success. The Government has been criticised recently after it admitted that it had failed to complete a DPIA for the Covid19 Track and Trace Programme.
Carrying out a DPIA is not mandatory for every personal data Subject request management operation.
It is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)). Such processing, according to Article 35(3)), includes (but is not limited to):
systematic and extensive evaluation of personal aspects relating to an individual which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significant effect the individual
processing on a large scale of special categories of data or of personal data relating to criminal convictions or offences
a systematic monitoring of a publically accessible area on a large scale
So what other cases will involve “high risk” processing that may require a DPIA?
The ICO’s DPIA guidance states that it requires a Data Controller and GDPR Policy Template to conduct a DPIA if it plans to:
use new technologies;
use profiling or special category data to decide on access to services;
profile individuals on a large scale;
process biometric data;
process genetic data;
match data or combine datasets from different sources;
collect personal information security policy for small business from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
track individuals’ location or behaviour;
profile children or target marketing or online services at them; or
process data that might endanger the individual’s physical health or safety in the event of a security breach.
Who should conduct the DPIA?
A DPIA may be conducted by the Data Controller’s own staff or an external consultant.
Of course the Data Controller remains liable for ensuring it is done correctly. The Data Protection Officer’s advice, if one has been designated, must also be sought as well as the views (if appropriate) of Data Subjects or their eu representatives and Data Processors.
Help
Act Now is using its expertise to help make the task of conducting a DPIA less daunting. We are supporting an exciting new public sector collaboration to co-design and develop a Digital DPIA which should make this task much easier. The final product will be available in the Autumn. Watch this space! We are also running a series of online workshops on How to do a DPIA.
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. 2A single assessment may address a set of similar processing operations that present similar cookie consent.
The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.
A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of
a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;