Data Protection Impact Assessments

The folllowing guidance outlines the requirements under the GDPR to conduct Data Protection Impact Assessments (DPIA)

A DPIA is a process to help you identify and minimise the data protection risks of a project.

It is a mandatory requirement under GDPR for some riskier processes to conduct a DPIA at the earliest opportunity.

What's a DPIA?

Data Protection Impact Assessments (DPIAs) are a tool to help you identify and minimise the data protection risks of new projects. They are part of your accountability obligations under the GDPR, and an integral part of the ‘data protection by default and by design’ approach.

An effective DPIA helps you to identify and fix problems at an early stage, demonstrate compliance with your data protection obligations, meet individuals’ expectations of privacy and help avoid reputational damage which might otherwise occur. In some cases the GDPR says you must carry out a DPIA, but they can be a useful tool in other cases to.

Your DPIA must:

  • describe the nature, scope, context and purposes of the processing;
  • assess necessity, proportionality and compliance measures;
  • identify and assess risks to individuals; and
  • identify any additional measures to mitigate those risks.

To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.

You should consult Keele's data protection officer and, where appropriate, individuals and relevant experts. Any processors may also need to assist you.

If you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.

The ICO will give written advice within eight weeks, or 14 weeks in complex cases. If appropriate, we may issue a formal warning not to process the data, or ban the processing altogether.

Responsibilities

Information Asset Managers / Administrators are responsible for conducting DPIA’s where required for processing activities for data assets managed by them (as defined in the Asset Register).

For larger scale projects (which may involve perhaps multiple data sets) or where new systems (IT or manual) are being considered, then the DPIA process should be undertaken by the appropriate management team (Project Team / Project Manager).

If there is any doubt about who or when a DPIA should be considered, consult with the Data Protection Officer (DPO).

The Data Protection Officer (DPO) should review and approve all DPIA’s and can advise the Data Managers/Administrators as required. Significant risks which are not mitigated as part of the process should be reported to the relevant Information Asset Owner (IAO) and the Senior Information Risk Owner (SIRO)

The Senior Information Risk Owner (SIRO) may be required to sanction the processing activity under assessment if the DPO considers significant risk remains after all mitigation measure have been considered.

When a DPIA should be conducted?

Under the GDPR, Keele will be required to undertake DPIAs before data processing for processing is likely to result in a high risk to the rights and freedoms of individuals.

To assess whether something is ‘high risk’, the GDPR is clear that you need to consider both the likelihood and severity of any potential harm to individuals. ‘Risk’ implies a more than remote chance of some harm. ‘High risk’ implies a higher threshold, either because the harm is more likely, or because the potential harm is more severe, or a combination of the two. Assessing the likelihood of risk in that sense is part of the job of a DPIA.

However, the question for these initial screening purposes is whether the processing is of a type likely to result in a high risk.

The GDPR lays out 3 types of processing which will always require a DPIA:

1. Systematic and extensive profiling with significant effects

2. Large scale use of sensitive personal data (Special Category and Criminal data)

3. Public Monitoring (e.g. large scale CCTV)

The UK Information Commissioners Office (the ICO) has also published a further list of activities which are likely to be a high risk and therefore require a DPIA:

  1. New technologies: processing involving the use of new technologies, or the novel application of existing technologies (including AI).
  2. Denial of service: Decisions about an individual’s access to a product, service, opportunity or benefit which is based to any extent on automated decision-making (including profiling) or involves the processing of special category data.
  3. Large-scale profiling: any profiling of individuals on a large scale.
  4. Biometrics: any processing of biometric data.
  5. Genetic data: any processing of genetic data, other than that processed by an individual GP or health professional for the provision of health care direct to the data subject.
  6. Data matching: combining, comparing or matching personal data obtained from multiple sources.
  7. Invisible processing: processing of personal data that has not been obtained direct from the data subject in circumstances where the controller considers that compliance with Article 14 would prove impossible or involve disproportionate effort.
  8. Tracking: processing which involves tracking an individual’s geolocation or behaviour, including but not limited to the online environment.
  9. Targeting of children or other vulnerable individuals: The use of the personal data of children or other vulnerable individuals for marketing purposes, profiling or other automated decision-making, or if you intend to offer online services directly to children.
  10. Risk of physical harm: Where the processing is of such a nature that a personal data breach could jeopardise the [physical] health or safety of individuals.

 

For processing operations other than those specified above, we should ask the following questions to ascertain whether it is necessary to conduct a DPIA:

  • Are you undertaking evaluation or scoring, including profiling and predicting, of aspects specific to the data subject, such as credit monitoring and genetic testing?
  • Does the processing involve automated decision making that produces a significant effect on the data subject?
  • Are you performing systematic monitoring of data subjects?
  • Does the processing involve any sensitive data or data regarding criminal offences?
  • Is the data being processed on a large scale? As there is no definition of large scale processing in the Regulation, use the following factors in ascertaining whether the processing is being carried out on a large scale:
    • the number of data subjects concerned, either as a specific number or as a proportion of the relevant population;
    • the volume of data and/or the range of different data items being processed;
    • the duration, or permanence, of the data processing activity; and
    • the geographical extent of the processing activity.
  • Have datasets been matched or combined?
  • Does the data concern vulnerable data subjects?
  • Is this an innovative use or does it apply technological or organisational solutions (for example, combining use of finger print and facial recognition)?
  • Are you transferring data outside the EU?
  • Will the processing itself prevent data subjects from exercising a right or using a service or a contract?

As a general rule of thumb, processing operations that meet at least two of these criteria will require a DPIA. However, a processing operation meeting only one criterion may require a DPIA, depending on the circumstances. It is also recommended to use a DPIA when a processing operation is using new data processing technology. If in doubt over whether a DPIA is required, it is prudent to err on the side of caution and carry out a DPIA.

Further guidance is provided by the ICO at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/when-do-we-need-to-do-a-dpia/

When a DPIA is not required

You may not have to carry out a DPIA if:

  • You are processing on the basis of legal obligation or public task. However, this exception only applies if:
    • you have a clear statutory basis for the processing;
    • the legal provision or a statutory code specifically provides for and regulates the processing operation in question  - this means you must be able to identify the specific law which tells you to do the particular processing in question. Much of the processing in the university may have a public task basis - but we would not be able to pin the exact processing activity on a specifc clause in a law;
    • you are not subject to other obligations to complete DPIAs, such as mandatory minimum measures required by Cabinet Office for consideration of information governance risks or requirements derived from specific legislation, such as Digital Economy Act 2017; or
    • a data protection risk assessment was carried out as part of the impact assessment when the legislation was adopted.

It is unlikely that the above exemption would apply to Keele, but if in any doubt contact the DPO

  • You have already done a substantially similar DPIA. You need to be confident that you can demonstrate that the nature, scope, context and purposes of the processing are all similar.
  • The ICO issues a list of processing operations which do not require a DPIA. The ICO have the power to establish this type of list, but have not done so yet.

Pre-existing processing operations

The GDPR is silent on whether the DPIA requirement will apply in relation to processing operations already underway. Similarly, once a DPIA has been carried out, the question arises if it must ever be revisited or repeated during the lifetime of the processing operation.

On the one hand, it is burdensome to expect organisations to assess all of their existing processing operations to determine whether they need to be subjected to a DPIA under the Regulation, and then to carry out any necessary DPIAs. A need to repeatedly engage in DPIAs for the same processing activity would also be very onerous. On the other hand, turning a blind eye to existing processing operations, or choosing to run a DPIA once and then never to revisit its content, runs the risk that data subjects' interests could be overlooked.

It is strongly recommended that a DPIA should be carried out for any data processing operations that are already underway and would meet the test requiring a DPIA.

In relation to repeating or reviewing DPIAs, Article 35(11) of the Regulation requires controllers to carry out reviews to assess if processing is carried out in accordance with the DPIA "at least when there is a change of … risk". In addition, it is recommended that as a matter of good practice, DPIAs should be continuously carried out, and re-assessed after three years, and in certain cases more frequently.

Who should be consulted when conducting a DPIA?

Ultimately, the controller is responsible for conducting the DPIA, regardless of whether the controller or another entity carries out the DPIA. Although the controller is ultimately responsible for conducting the DPIA, it will be obliged in certain circumstances, or in other cases where it considers it useful, to consult with various parties for the purposes of conducting a DPIA. Those parties may include the:

  • Data Protection Officer (DPO).
  • Processors. Where the processing operation is performed wholly or partly by a data processor, the processor must assist the controller in conducting the DPIA and must provide any necessary information.
  • Data subjects. The Regulation specifies that "where appropriate" the controller must seek the views of data subjects or their representatives. However, there is protection for an organisation's intellectual property and business interests, as this obligation is without prejudice to the protection of commercial or public interests or the security of processing operations. We could use a study, a formal question to the staff representatives or trade/labour unions or a survey sent to future customers as possible consultation methods. The A29WP also emphasises the importance of documenting these consultation processes. Where a data controller's final decision differs from the views of the data subjects, we should document the reasons in support of its decision. Similarly, where a data controller decides that it is not appropriate to seek the views of data subjects, we should record the reasoning for this decision.
  • Information Commissioner’s Office. If the outcome of the DPIA indicates a high risk in the absence of risk mitigation measures, the controller must consult the ICO before commencing processing operations. Consult with the DPO in this instance.

Depending on the context of the processing, it may be prudent and helpful to consult with additional parties for the purposes of conducting a DPIA, including:

  • Responsible business units.
  • Independent experts of different professions including lawyers, technicians, security experts, sociologists, ethics advisors and so on.
  • The Information Security Manager and/or the IT department.

When and how the ICO should be consulted

We don’t need to send every DPIA to the ICO. But we must consult the ICO if the DPIA identifies a high risk and we cannot take measures to reduce that risk. We cannot begin the processing until we have consulted the ICO.

If you want your project to proceed effectively then investing time in producing a comprehensive DPIA may prevent any delays later, if we have to consult with the ICO.

Once the ICO have the information they need, they will generally respond within eight weeks (although they can extend this by a further six weeks in complex cases).

They will provide us with a written response advising us whether the risks are acceptable, or whether we need to take further action. In some cases they may advise us not to carry out the processing because they consider it would be in breach of the GDPR. In appropriate cases they may issue a formal warning or take action to ban the processing altogether.

 

Consequences for Keele failing to conduct a mandated DPIA

Failure to comply with the DPIA requirements can result in significant fines being imposed by the ICO. The following omissions can each result in an administrative fine of up to EUR10 million:

  • Failure to carry out a DPIA when the processing is subject to a DPIA.
  • Carrying out a DPIA in an incorrect manner.
  • Failure to consult the ICO where required.

How to conduct a DPIA

Procedure:

  1. Download the DPIA Template below 
  2. Complete the screening assessment - if required to complete the DPIA then proceed below. If it is decided a full DPIA is not required then send screening page to the DPO (putting DPIA in the subject line)
  3. Complete assessment (there may be a number of iterations to the assesment)
  4. Build in mitigations to your project design
  5. Send completed DPIA to the DPO (putting DPIA in the subject line)

Be aware - The University is subject to Freedom of Information requirements and DPIA may well be requested as part of an FOI request. In order to comply with best practice for the purposes of the FOI and for general transparency we would look to publish all our DPIA's on the website (with suitable redaction if applicable). Note - we would not publish DPIA's whilst the subject matter may be subject to commercial secrecy.

Any queries about how and when to do a DPIA - please contact Anne-Marie Long - DPO