DPIA

DATA PROTECTION IMPACT ASSESSMENTS (DPIA)

When the University collects, stores or uses personal data, the individuals whose data it is processing is exposed to risks. A Data Protection Impact Assessment (DPIA) describes a process designed to identify risks arising out of the processing of personal data and to minimise these risks as far and as early as possible. DPIAs are important tools for negating risk, and for demonstrating compliance with the GDPR.

When should a DPIA should be conducted? Under the GDPR, a DPIA is mandatory where data processing “is likely to result in a high risk to the rights and freedoms of natural persons.” This is particularly relevant when a new data processing technology is being introduced. In cases where it is not clear whether a DPIA is strictly mandatory, carrying out a DPIA is still good practice and a useful tool to help data controllers comply with data protection law. The GDPR provides some non-exhaustive examples of when data processing is “likely to result in high risks”:

• “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person”

• “processing on a large scale of special categories of data referred to in Article 9(1), or of personal data subject request management relating to criminal convictions and offences referred to in Article 10”

• “a systematic monitoring of a publicly accessible area on a large scale”

When is a DPIA not required? A DPIA is generally not required in the following cases:

• Where the processing is not “likely to result in a high risk to the rights and freedoms of natural persons”(article 35(1))

• When the nature, scope, context and purposes of the processing are very similar to the processing for which DPIAs have been carried out. In such cases, results of a DPIA for similar processing can be used (Article 35(1))

When in a project lifecycle should a DPIA be conducted? The DPIA should be carried out “prior to the processing” (GDPR Articles 35(1) and 35(10), recitals 90 and 93). It is good practice to carry out a DPIA as early as practical in the design of the processing operation. For some projects the DPIA may need to be a continuous process, and be updated as the project moves forward.

Who should be involved in conducting the DPIA? The Data Controller (the University) is responsible for ensuring the DPIA is carried out. The Project Principal Investigator or the Unit Head or Head of School generally carries these out on behalf of the University. Under the GDPR (Article 35), it is necessary for any Data Controller (in this case the University) to seek the advice of the University Data Protection Officer. This advice and the decisions taken should be documented as a part of the gdpr training process.

The Data Controller is bound to “seek the views of data subjects or their representatives” (Article 35(9)), “where appropriate” in carrying out the DPIA.

What steps are involved in carrying out a DPIA? The GDPR sets out the minimum features of a DPIA (Article 35(7), and recitals 84 and 90):

• “a description of the envisaged processing operations and the purposes of the processing”

• “an assessment of the necessity and proportionality of the processing”

• “as assessment of the risks to the rights and freedoms of data subjects”

• “the measures envisaged to:

• “address the risks”;

• “demonstrate compliance with this Regulation”.

The following steps can be used as a guide through the process:

1. Identifying whether a DPIA is required

2. Defining the characteristics of the project to enable an assessment of the risks to take place

3. Identifying data protection policy template and related risks

4. Identifying data protection solutions to reduce or eliminate the risks

5. Signing off on the outcomes of the DPIA (Consult with Data Protection Officer)

6. Integrating data protection solutions into the project

Mandatory circumstances where a DPIA must be conducted:

In addition, in accordance with GDPR Article 35(4), the Date Protection Commissioner has determined that a DPIA will also be mandatory for the following types of processing operation where a documented screening or preliminary risk assessment indicates that the processing operation is likely to result in a high risk to the rights and freedoms of individuals pursuant to GDPR Article 35(1):

1) Use of personal data on a large-scale for a purpose(s) other than that for which it was initially collected pursuant to GDPR cookie consent Article 6(4).

2) Profiling vulnerable persons including children to target marketing or online services at such persons.

3) Use of profiling or algorithmic means or special category data as an element to determine access to services or that results in legal or similarly significant effects.

4) Systematically monitoring, tracking or observing individuals’ location or behaviour.

5) Profiling individuals on a large-scale.