The Information Commissioner‘s Office has updated the section in the GDPR on Data Protection Impact Assessments (DPIAs), focussing on risk, accountability and data protection by design. Article 35(4) is also up for public consultation until 13th April.
Let’s take a quick look at what’s new.
Data Protection Impact Assessments and the GDPR
Data Protection Impact Assessments or DPIAs, which will be mandatory to complete in some case, are a new obligation for data processors under the General Data Protection Regulation.
When processing data that is ‘likely to result in high risk to individuals’ interests’ a DPIA will need to be conducted to determine the level of risk. If the level is high, then the Information Commissioner‘s Office requests that you consult them directly.
If you already carry out Privacy Impact Assessments (PIAs), you will need to review the process before 25th May 2018 to ensure it complies with the GDPR updates. Any organisation not yet carrying out Privacy Impact Assessments should take the time to design DPIAs and include them in their processes.
What is a Data Protection Impact Assessment?
This assessment, brought about by the GDPR, is a process that aims to help you identify and minimise (but not necessarily eradicate) any risk to the protection of data that you and your organisation is processing. The ICO says that your Data Protection Impact Assessment must:
- describe the processing and your purposes;
- assess necessity and proportionality;
- identify and assess risks to individuals; and
- identify any measures to mitigate those risks and protect the data.
The main purpose of the assessment is to protect high-risk data, but it also helps you to demonstrate your commitment to information security, and help to build trust with individuals. Compliance risk is of high importance, but a broader risk to the rights and freedoms (including social or economic disadvantage) should also be considered in the Data Protection Impact Assessment. This includes the ‘potential for harm – whether physical, material or non-material – to individuals or to society at large.’
When do I need to conduct a Data Protection Impact Assessment?
As we touched upon earlier, the DPIA needs to be carried out before you process data that could result in high risk. This is to assess the level of the risk and identify factors that could impact individuals. The GDPR says you should conduct a DPIA if you:
- use systematic and extensive profiling with significant effects;
- process special category or criminal offence data on a large scale; or
- systematically monitor publicly accessible places on a large scale.
- use new technologies;
- use profiling or special category data to decide on access to services;
- profile individuals on a large scale;
- process biometric data;
- process genetic data;
- match data or combine datasets from different sources;
- collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
- track individuals’ location or behaviour;
- profile children or target services at them; or
- process data that might endanger the individual’s physical health or safety in the event of a security breach.
How to carry out a Data Privacy Impact Assessment
The ICO has published a high-level guide on the planning of your DPIA, shown here in the graphic, but you can tailor the process to fit in with your organisation. Remember, this should become one of your organisation’s core processes, so it needs to work for you. There are also European guidelines for planning DPIAs that you may wish to follow.
Open consultation on GDPR Article 35(4)
The Information Commissioner‘s Office has opened for public consultation their draft guidance for Data Protection Impact Assessments. Read the details and have your say over on the ICO website.
Need an efficient way to manage and categorise the personal data you store?
ISMS.online features a Personal Data Inventory & Records Processing Tracker to help you do just that.
Not ready to get started? Subscribe to receive more articles like this.
The information in this blog is for general guidance and does not constitute legal advice.