The Importance of a DPIA

A Data Protection Impact Assessment (DPIA) helps Data Controllers identify the most effective way to comply with their GDPR obligations and reduce the risks of harm to individuals through the misuse of their personal data. A well-managed DPIA will identify problems and allow them to be fixed at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur. DPIAs are also an important tool for accountability as they help Data Controllers to demonstrate that appropriate measures have been taken to ensure compliance with the Data Protection Principles.

Consequnces

Failure to conduct a DPIA, or failures in the process, can result in an administrative fine of up to 10 million Euros, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. 

A recent Norwegian case saw the data protection authority impose a fine of almost €47,000 on a town council in relation to its digital learning app. The Council communicated health-related information between school and home via the app, but insufficient security was put in place to avoid users accessing the personal data of others in their group. No risk assessment, DPIA or testing was undertaken before the application was rolled out. In May 2020, a company in Finland was fined €16,000 for failing to undertake a DPIA before  processing  the  location data of its employees by tracking vehicles.

Of course there is also the reputation damage of not conducting a DPIA especially when it comes to large scale projects which rely on public confidence to ensure take up and success. The Government has been criticised recently after it admitted that it had failed to complete a DPIA for the Covid19 Track and Trace Programme.

Article 35

Article 35 contains an obligation on Data Controllers to conduct a DPIA before carrying out personal data processing likely to result in a high risk to the rights and freedoms of individuals. If the DPIA identifies a high risk that cannot be mitigated, the Information Commissioner’s Office (ICO) must be consulted. Two documents are essential in understanding the concept of a DPIA, namely the Article 29 Working Party’s (A29WP, now the EDPB) data protection impact assessment guidelines and the ICO’s DPIA guidance.

Carrying out a DPIA is not mandatory for every personal data processing operation.
It is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)). Such processing, according to Article 35(3)), includes (but is not limited to):

  • systematic and extensive evaluation of personal aspects relating to an individual  which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significant effect the individual
  • processing on a large scale of special categories of data or of personal data relating to criminal convictions or offences
  • a systematic monitoring of a publically accessible area on a large scale

So what other cases will involve “high risk” processing that may require a DPIA?
The ICO’s DPIA guidance states that it requires a Data Controller to conduct a DPIA if it plans to:

  • use new technologies;
  • use profiling or special category data to decide on access to services;
  • profile individuals on a large scale;
  • process biometric data;
  • process genetic data;
  • match data or combine datasets from different sources;
  • collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
  • track individuals’ location or behaviour;
  • profile children or target marketing or online services at them; or
  • process data that might endanger the individual’s physical health or safety in the event of a security breach.

Who should conduct the DPIA?

A DPIA may be conducted by the Data Controller’s own staff or an external consultant.
Of course the Data Controller remains liable for ensuring it is done correctly. The Data Protection Officer’s advice, if one has been designated, must also be sought as well as the views (if appropriate) of Data Subjects or their representatives and Data Processors.

Help

Act Now is using its expertise to help make the task of conducting a DPIA less daunting. We are supporting an exciting new public sector collaboration  to  co-design and develop a Digital DPIA which should make this task much easier. The final product will be available in the Autumn. Watch this space! We are also running a series of online workshops on How to do a DPIA.

Act Now Supporting Innovative Digital DPIA Project

Act Now Training is pleased to announce that it is supporting a new public sector collaboration to co-design and develop a digital approach to Data Protection Impact Assessments (DPIAs).

This innovative six month project will help Data Controllers conducting DPIAs to ensure that a ’Data Protection by Design and Default’ approach is embedded into the process. The project is also supported by the Information Commissioner’s Office, NHSX and the Information and Records Management Society.

Greater Manchester Combined Authority, the London Office of Technology and Innovation, Norfolk County Council and the University of Nottingham are leading the project which follows on from a successful alpha phase undertaken last year. A full project overview can be read here: https://cc2i.org.uk/digital-dpia/

Ibrahim Hasan, Director of Act Now Training, said:

“We are really pleased to be supporting this innovative new project alongside the Information Commissioner’s Office, NHSX and the IRMS. A digital DPIA solution will be a valuable tool to help DPOs ensure that privacy and data protection are at the heart of every new data driven project.”

Are you a public authority wishing to a share in this exciting new project and shape the future of the Digital DPIA? Using a proven co-funding approach (similar to crowdfunding, but on a corporate level), the collective is actively looking for partners to join them in this cost-neutral project.

A webinar on the project and approach is being hosted on Wednesday 12th at 2pm. Led by Stephen Girling, Information Governance Project Manager at GMCA and Lianne Hawkins, Head of Service Design at Looking Local, this webinar will cover:

  • The background and outcomes of the original Digital DPIA alpha project undertaken by GMCA – including the headline business case
  • The benefits of a uniform approach to DPIAs across public sector
  • The work packages planned to deliver a digital DPIA solution
  • Partner benefits and their motivation to be part of this collaborative approach
  • Project partners timelines & what’s involved

We would encourage all our blog subscribers to register for the webinar here: http://bit.ly/2ScGdi2 A recording of the webinar will also be available. Please email  irene.zdziebko@cc2i.org.uk 

Act Now launches GDPR Policy Pack

The first fine was issued recently under the General Data Protection Regulation (GDPR) by the Austrian data protection regulator. Whilst relatively modest at 4,800 Euros, it shows that regulators are ready and willing to exercise their GDPR enforcement powers.

Article 24 of GDPR emphasises the need for Data Controllers to demonstrate compliance through measures to “be reviewed and updated where necessary”. This includes the implementation of “appropriate data protection policies by the controller.” This can be daunting especially for those beginning their GDPR compliance journey.

Act Now has applied its information governance knowledge and experience to create a GDPR policy pack containing essential documentation templates to help you meet the requirements of GDPR as well as the Data Protection Act 2018. The pack includes, amongst other things, template privacy notices as well as procedures for data security and data breach reporting. Security is a very hot topic after the recent £500,000 fine levied on Equifax by the Information Commissioner under the Data Protection Act 1998.

We have also included template letters to deal with Data Subjects’ rights requests, including subject access. The detailed contents are set out below:

  • User guide
  • Policies
    • Data Protection Policy
    • Special Category Data Processing (DPA 2018)
    • CCTV
    • Information Security
  • Procedures
    • Data breach reporting
    • Data Protection Impact Assessment template
    • Data Subject rights request templates
  • Privacy Notices
    • Business clients and contacts
    • Customers
    • Employees and volunteers
    • Public authority services users
    • Website users
    • Members
  • Records and Tracking logs
    • Information Asset Register
    • Record of Processing Activity (Article 30)
    • Record of Special Category Data processing
    • Data Subject Rights request tracker
    • Information security incident log
    • Personal data breach log
    • Data protection advice log

The documents are designed to be as simple as possible while meeting the statutory requirements placed on Data Controllers. They are available as an instant download (in Word Format). Sequential files and names make locating each document very easy.

Click here to read sample documents.

The policy pack gives a useful starting point for organisations of all sizes both in the public and private sector. For only £149 plus VAT (special introductory price) it will save you hours of drafting time. Click here to buy now or visit or our website to find out more.

Act Now provides a full GDPR Course programme including one day workshops, e learning, healthchecks and our GDPR Practitioner Certificate. 

Exit mobile version
%%footer%%