Get Free Downloads
Start your GDPR today in just a few clicks
      
Get Free Downloads
Start your GDPR today in just a few clicks

When To Do A DPIA?

Tagged with GDPR HELP, GDPR ADVICE, GDPR
by Adam Brogden
in Blog

27-Nov-2019 10:57

A Data Protection Impact Assessment is probably the most complicated document you will have to produce as part of any GDPR implementation. This document is used to assess your data processing approach in great deal and to look at every risk associated with that processing. There are no templates available and little online help available. Don’t worry - we can help! We have worked with many companies to complete their DPIA’s and have ensured all risks are addressed. Whether your processing requires a DPIA is actually quite a complicated question. You can call us anytime to discuss and please take a look at this advice from the ICO.

_________________________________

What is the general rule?

Article 35(1) says that you must do a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of individuals.

What does ‘high risk’ mean?

Risk in this context is about the potential for any significant physical, material or non-material harm to individuals. See What is a DPIA? for more information on the nature of the risk.

To assess whether something is ‘high risk’, the GDPR is clear that you need to consider both the likelihood and severity of any potential harm to individuals. ‘Risk’ implies a more than remote chance of some harm. ‘High risk’ implies a higher threshold, either because the harm is more likely, or because the potential harm is more severe, or a combination of the two. Assessing the likelihood of risk in that sense is part of the job of a DPIA. However, the question for these initial screening purposes is whether the processing is of a type likely to result in a high risk.

What does ‘likely to result in a high risk’ mean?

The GDPR doesn’t define ‘likely to result in high risk’. However, the important point here is not whether the processing is actually high risk or likely to result in harm – that is the job of the DPIA itself to assess in detail. Instead, the question is a more high-level screening test: are there features which point to the potential for high risk? You are screening for any red flags which indicate that you need to do a DPIA to look at the risk (including the likelihood and severity of potential harm) in more detail.

Article 35(3) lists three examples of types of processing that automatically requires a DPIA, and the ICO has published a list under Article 35(4) setting out ten more. There are also European guidelines with some criteria to help you identify other likely high risk processing.

This does not mean that these types of processing are always high risk, or are always likely to cause harm – just that there is a reasonable chance they may be high risk and so a DPIA is required to assess the level of risk in more detail.

If your intended processing is not described under GDPR, Article 35(3) the ICO list or European guidelines then ultimately, it’s up to you to decide whether your processing is of a type likely to result in high risk, taking into account the nature, scope, context and purposes of the processing. If in any doubt, we would always recommend that you do a DPIA to ensure compliance and encourage best practice.

What types of processing automatically require a DPIA?

The ICO is required by Article 35(4) to publish a list of processing operations that require a DPIA. This list complements and further specifies the criteria referred to in the European guidelines. Some of these operations require a DPIA automatically, and some only when they occur in combination with one of the other items, or any of the criteria in the guidelines. For example:

  1. Innovative technology: processing involving the use of innovative technologies, or the novel application of existing technologies (including AI). A DPIA is required where this processing is combined with any of the criteria from the European guidelines.

  2. Denial of service: Decisions about an individual’s access to a product, service, opportunity or benefit that is based to any extent on automated decision-making (including profiling) or involves the processing of special category data.

  3. Large-scale profiling: any profiling of individuals on a large scale.

  4. Biometrics: any processing of biometric data. A DPIA is required where this processing is combined with any of the criteria from the European guidelines.

  5. Genetic data: any processing of genetic data, other than that processed by an individual GP or health professional for the provision of health care direct to the data subject. A DPIA is required where this processing is combined with any of the criteria from the European guidelines.

  6. Data matching: combining, comparing or matching personal data obtained from multiple sources.

  7. Invisible processing: processing of personal data that has not been obtained direct from the data subject in circumstances where the controller considers that compliance with Article 14 would prove impossible or involve disproportionate effort. A DPIA is required where this processing is combined with any of the criteria from the European guidelines.

  8. Tracking: processing which involves tracking an individual’s geolocation or behaviour, including but not limited to the online environment. A DPIA is required where this processing is combined with any of the criteria from the European guidelines.

  9. Targeting of children or other vulnerable individuals: the use of the personal data of children or other vulnerable individuals for marketing purposes, profiling or other automated decision-making, or if you intend to offer online services directly to children.

  10. Risk of physical harm: where the processing is of such a nature that a personal data breach could jeopardise the [physical] health or safety of individuals.

You should also be aware that the data protection authorities in other EU member states will publish lists of the types of processing that require a DPIA in their jurisdiction.

As you can see this is a pretty complex area. Feel free to call us anytime.

Hope this helps, good luck all.