In our continuing countdown to GDPR, we take up a key element in the upcoming General Data Protection Regulation (GDPR), which comes into effect on May 25, 2018, that being the issue of the Data Protection Impact Assessment (DPIA). As always, I am joined in this exploration by Jonathan Armstrong, partner at the Cordery firm London. The UK Data Protection Regulator, the Information Commissioner’s Office (ICO), recently published new draft guidance on conducting DPIAs, entitled “Consultation: GDPR DPIA guidance”(Consultative Guidance).
A DPIA is mandatory in some cases under GDPR. At its simplest, it is a way of assessing data protection risk in any process that involves personal data. A good DPIA process will enable you to identify exactly what you are planning to do with personal data, what the risks are and how you are going to address them. The Consultative Guidance, notes your DPIA “should describe the nature, scope, context and purposes of the processing; assess necessity, proportionality and compliance measures; identify and assess risks to individuals; and identify any additional measures to mitigate those risks.” There are consultation obligations as part of the DPIA process including, in some cases, the obligation to show your DPIA to a Data Protection Authority (DPA) and seek prior approval. Armstrong view DPIAs as a key element of any GDPR plan and “done well a DPIA can reduce data protection risk but also reduce risk across the board.”
The ICO also notes, “DPIAs are an essential part of your accountability obligations. Conducting a DPIA is a legal requirement for any type of processing that is likely to result in high risk (including certain specified types of processing). Failing to carry out a DPIA in these cases may leave you open to enforcement action, including a fine of up to €10 million, or 2% global annual turnover if higher.” While DPIAs bring greater compliance benefits as they can be an effective mechanism to assess and demonstrate your compliance with all data protection principles and obligations; the ICO cautions “DPIAs are not just a compliance exercise. An effective DPIA allows you to identify and fix problems at an early stage, bringing broader benefits for both individuals and your organisation.”
The key thing to remember about DPIAs is they are essentially risk assessments and that should not scare anyone. As such, whenever you are doing something new; whether that be a process, new business venture partner or using a new vendor, you should consider this risk from the data protection perspective through a DPIA. You can use the DPIA to help design a risk mitigation strategy for your data protection risks. Unfortunately, Armstrong has found that many compliance practitioners and even Data Protection Officers (DPOs) are afraid of them “and I think many people are putting them into the bottom of their desks, when really they should now be at the top.” DPIAs are a significant way of reducing risk in a business, and can also reduce your legal exposure, thereby reducing your risk you reduce your potential for fines suspension of transfers civil actions.
I asked Armstrong if he might provide an example and he gave one which I found instructive as DPIAs must consider both the likelihood and the severity of any impact on individuals and as well corporations subject to GDPR. He said, “I might say that I’m going to do that as a benefit for the corporation to help secure data which in and of itself helps an entity comply with GDPR. Obviously, there is a benefit to individuals because they might have some of their data on those laptops for work at home and it might be better for work life balance if I identify risks that employees with the device might incur outside of working hours.” He then added, “I might identify a risk that employees will be worried that they’re being tracked because they carry the device with them and I can mitigate those risks down by looking at technologies like geo-fencing rather than geo-location.”
Indeed, the UK Data Protection Regulator, the ICO, has said of the DPIA, “You should not view a DPIA as a one-off exercise to file away. A DPIA is a ‘living’ process to help you manage and review the risks of the processing and the measures you’ve put in place on an ongoing basis. You need to keep it under review and reassess if anything changes. In particular, if you make any significant changes to how or why you process personal data, or to the amount of data you collect, you need to show that your DPIA assesses any new risks. An external change to the wider context of the processing should also prompt you to review your DPIA. For example, if a new security flaw is identified, new technology is made available, or a new public concern is raised over the type of processing you do or the vulnerability of a particular group of data subjects.”
Armstrong said ideally a company would “start at the beginning with their data or with a third- party relationship” in performing a DPIA. However, recognizing the difficulty in this approach, Armstrong noted, “it isn’t mandatory to do the DPIA on existing processes. If your process changes then you should do a DPIA. For example, if your tracking laptops with a Vendor A and under existing process you do that already but you then switch to Vendor B; at that point you probably need to perform a DPIA. This is because the change in vendors is really a change in the whole process not just a change of vendor so an existing process changes.”
Through the use of DPIAs a company can reassure individuals it is protecting their interests and has reduced any negative impact on them as much as they can. Conducting and publishing a DPIA can also improve transparency and make it easier for individuals to understand how and why you are using their information. This could lead to additional benefits for your company’s reputation and your relationships with both your employees and your customers. Conducting a DPIA can help you to build trust and engagement with the people using your services, and improve your understanding of their needs, concerns and expectations.
Facebook, are you listening?
To learn more, check the podcast series Countdown to GDPR-Episode 4, by clicking here.
For more information, check out Cordery’s great GDPR resource, GDPR Navigator.
Finally, if you are in Houston on April 10, the Greater Houston Business and Ethics Roundtable is hosting Jonathan Armstrong for a ½ half day GDPR workshop, entitled “Are You Ready for GDPR?”. For information and registration, click here.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2018