FREE CONSULTATION
FREE CONSULTATION

Does my Organization need a Data Protection Impact Assessment

You must do a DPIA before you begin any type of processing that is “likely to result in a high risk”. This means that although you have not yet assessed the actual level of risk, you need to screen for factors that point to the potential for a widespread or serious impact on individuals.

If you have any major project that involves the use of personal data, it is good practice to do a DPIA. If you already intend to do a DPIA, go straight to step 2.

Otherwise, you need to check whether your processing is on the list of types of processing that automatically require a DPIA. If not, you need to screen for other factors that may indicate it is a type of processing that is likely to result in high risk, such as processing the data of vulnerable individuals.

You can use or adapt the checklists at the end of this guidance to help you do this screening. You can also read ‘When do we need to do a DPIA?’ for more guidance.

If you do this screening and decide a DPIA is not needed, you should document your decision and the reasons for it, including your DPO’s advice. This does not have to be a burdensome paperwork exercise. It just needs to help you demonstrate you have properly considered and complied with your DPIA obligations. For example, you could simply keep an annotated copy of the checklist.

If you are in any doubt, we strongly recommend you do a DPIA.

How do we describe the processing?

Describe how and why you plan to use the personal data. Your description must include “the nature, scope, context and purposes of the processing”.

The nature of the processing is what you plan to do with the personal data. This should include, for example:

  • How you collect the data;
  • How you store the data;
  • How you use the data;
  • Who has access to the data;
  • Who you share the data with;
  • Whether you use any processors;
  • Retention periods;
  • Security measures;
  • Whether you are using any new technologies;
  • Whether you are using any novel types of processing; and
  • Which screening criteria you flagged as likely high risk.

The scope of the processing is what the processing covers. This should include, for example:

  • The nature of the personal data;
  • The volume and variety of the personal data;
  • The sensitivity of the personal data;
  • The extent and frequency of the processing;
  • The duration of the processing;
  • The number of data subjects involved; and
  • The geographical area covered.

The context of the processing is the wider picture, including internal and external factors which might affect expectations or impact. This might include, for example:

  • The source of the data;
  • The nature of your relationship with the individuals;
  • How far individuals have control over their data;
  • How far individuals are likely to expect the processing;
  • Whether these individuals include children or other vulnerable people;
  • Any previous experience of this type of processing;
  • Any relevant advances in technology or security;
  • Any current issues of public concern;
  • In due course, whether you comply with any UK GDPR codes of conduct (once any have been approved under Article 40) or UK GDPR certification schemes;and
  • Whether you have considered and complied with relevant codes of practice.

The purpose of the processing is the reason why you want to process the personal data. This should include:

  • Your legitimate interests, where relevant;
  • The intended outcome for individuals; and
  • The expected benefits for you or for society as a whole.
  • Further Reading
  • Relevant provisions in the UK GDPR – See Article 35(7)(a) and Recitals 84, 90 and 94
  • External link

Step 3: Do we need to consult individuals?

You should seek and document the views of individuals (or their representatives) unless there is a good reason not to.

In most cases it should be possible to consult individuals in some form. However, if you decide this is not appropriate, you should record this decision as part of your DPIA, with a clear explanation. For example, you may be able to demonstrate that consultation would compromise commercial confidentiality, undermine security, or be disproportionate or impracticable.

If the DPIA covers the processing of personal data of existing contacts (for example, existing customers or employees), you should design a consultation process to seek the views of those particular individuals, or their representatives.

If the DPIA covers a plan to collect the personal data of individuals you have not yet identified, you may need to carry out a more general public- consultation process, or targeted research. This could take the form of market research with a certain demographic or contacting relevant campaign or consumer groups for their views.

If your DPIA decision differs from the views of individuals, you need to document your reasons for disregarding their views.

Step 3: Do we need to consult anyone else?

If you use a data processor, you may need to ask them for information and assistance. Your contracts with processors should require them to assist.

You should consult all relevant internal stakeholders, in particular anyone with responsibility for information security.

We also recommend you consider seeking legal advice or advice from other independent experts such as IT experts, sociologists or ethicists where appropriate. However, there are no specific requirements to do so.

Step 4: How do we assess necessity and proportionality?

You should consider:

  • Do your plans help to achieve your purpose?
  • Is there any other reasonable way to achieve the same result?

The Article 29 guidelines also say you should include how you  ensure data protection compliance, which are a good measure of necessity and proportionality. In particular, you should include relevant details of:

  • Your lawful basis for the processing;
  • How you will prevent function creep;
  • How you intend to ensure data quality;
  • How you intend to ensure data minimisation;
  • How you intend to provide privacy information to individuals;
  • How you implement and support individuals’ rights;
  • Measures to ensure your processors comply; and
  • Safeguards for international transfers.
  • Further reading

Step 5: How do we identify and assess risks?

Consider the potential impact on individuals and any harm or damage your processing may cause – whether physical, emotional or material. In particular, look at whether the processing could contribute to:

  • Inability to exercise rights (including but not limited to privacy rights);
  • Inability to access services or opportunities;
  • Loss of control over the use of personal data;
  • Discrimination;
  • Identity theft or fraud;
  • Financial loss;
  • Reputational damage;
  • Physical harm;
  • Loss of confidentiality;
  • Re-identification of pseudonymised data; or
  • Any other significant economic or social disadvantage

You should include an assessment of the security risks, including sources of risk and the potential impact of each type of breach (including illegitimate access to, modification of or loss of personal data).

To assess whether the risk is a high risk, you need to consider both the likelihood and severity of the possible harm. Harm does not have to be inevitable to qualify as a risk or a high risk. It must be more than remote, but any significant possibility of very serious harm may still be enough to qualify as a high risk. Equally, a high probability of widespread but more minor harm may still count as high risk.

You must make an objective assessment of the risks. It is helpful to use a structured matrix to think about likelihood and severity of risks:

Share this post:

Related Articles