Privacy impact assessments are at the heart of projects involving high risk data processing activities. Businesses are not always clear as to when and how such assessments should be carried out and often lack a clear process to run them effectively.
The General Data Protection Regulation (GDPR) creates a positive obligation on data controllers to carry out a data protection impact assessment (DPIA) where data processing activities are likely to result in "high risk to individuals". The maximum sanction for failure to carry out a DPIA under the GDPR, is a fine of the higher of EUR10m or 2% of annual global turnover. Organisations should put a DPIA process in place to help them assess when a DPIA is required or recommended, to carry out the DPIA effectively, and to act on its results.
You are the data protection officer (DPO) of 'Company Ltd', a global company in the insurance sector. Company Ltd wishes to implement a 'revolutionary' new tool to track its employees' communications, movements and behaviour in order to help assess their performance.
You meet with the Head of HR who provides details about the tool. You learn that the tool will: (i) monitor employees' communications including emails and conference and video calls over its own network on a permanent basis (including communications received or sent via business and personal devices), (ii) collect information from the entry/exit system of the building which uses fingerprint access to the premises; and (iii) will be managed and accessed by individual contractors based in the Philippines. You are told that no security assessment has ever been carried out on those contractors.
Where "unusual activities" are detected, the tool will automatically create records and keep copies of the activity with the full details of the communications and the personal details of the employee. The information will not be filtered in any way.
The HR team also plans to match the information collected with the data shared by its benefit provider including health-related data. Such information is kept on the employee file for performance and disciplinary purposes 'just in case' for an indefinite period of time. The employees have not been informed about the tool.
The Head of HR heard something about a privacy impact assessment process but is not sure whether it would be required for this project. She asks you whether there is anything Company Ltd should do before implementing the tool.
What should you do next?
Use your DPIA package
As the DPO of Company Ltd, you already have a comprehensive 'DPIA package' in place to evaluate when a DPIA should be conducted under the GDPR and to assess the likelihood and severity of risk. You have based your package on regulator recommendations including Article 29 Working Party guidance and the DPIA tool produced by the CNIL.
It contains an initial assessment checklist, the criteria and methodology to implement it, who to involve and/or consult, official guidance from the relevant supervisory authority and a matrix which helps you mitigate the privacy risks to an acceptable level. The package includes a regularly updated list of activities that may require a DPIA according to the relevant supervisory authority.
Is a DPIA needed?
There are a number of warning signs here that you spot immediately (see more about the DPIA requirements under the GDPR here). In fact, you tell your Head of HR that she should have involved you in the process at a much earlier stage.
You know that the GDPR provides a list of activities which may result in "high risk" and require a DPIA, namely where:
- automated processing of personal data is conducted to profile, make predictions or take measures/decisions based on information about individuals;
- sensitive/special categories of personal data, such as race/ethnic origin, religious belief, genetic data, biometric data or information regarding criminal convictions, are processed on a large scale; and
- systematic monitoring of a publicly accessibly area on a large scale is carried out.
The planned HR tool ticks all these boxes and will almost certainly present a high risk to individuals.
The tool is wide in scope and the type of activities carried out include processing special categories of personal data (e.g. biometric data is processed when collecting the fingerprints), data processed on a large scale (deployed globally to all employees), a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing and potential evaluation and scoring of employees based on profiling. It surveys a large area, may collect personal data of non-employees, involves sending personal data outside the EEA, and results in the collection of personal data for unlimited periods of time. Finally, there are no plans to inform employees about the tool.
Carry out an initial assessment
Implementing a DPIA requires considerable time, effort and resources. It is useful to carry out an initial assessment before starting a full DPIA process. You use the following DPIA initial assessment checklist to help decide whether to conduct a full DPIA and this helps you get buy-in from other relevant stakeholders to a full DPIA.
After completing the initial assessment, you decide that the scope and purpose of the monitoring tool involves processing of personal data that is likely to result in a high risk to Company Ltd's employees' privacy rights. You decide to carry out a DPIA prior to commencing that processing.
It is worth mentioning that where you carry out an initial screening assessment and then decide the project does not require a DPIA because there will be a minimal impact on privacy, you should keep a record of your decision so that it can be referred to in future if necessary.
Carry out the DPIA
Identify the processing activities and data flows and analyse risk You need to set out the data flows and data processing involved clearly and assign them a risk level. This requires knowing how personal data is collected, stored, used, deleted, accessed and by whom. A data mapping exercise could also help visualise the flows.
Involve the right stakeholders It is key that the right stakeholders are involved at the outset of the DPIA lifecycle. You are already coming late into this process. Who else is involved in green-lighting this project? You will be looking at board level and across a variety of business functions including procurement, IT and security, as well as engaging the Head of HR.
You may have to consult internally or externally to allow people to highlight privacy risks based on their own areas of interest and expertise. They may also be helpful when it comes to suggesting ways to minimise privacy risks.
The outcome of the DPIA should include the measures, safeguards and mechanisms envisaged for mitigating identified risk, ensuring the protection of personal data and demonstrating compliance with the GDPR. Appropriate measures will take account of the technology available and costs of implementation.
To mitigate the risks, you recommend:
- clarifying and reducing the scope of tool;
- exempting personal communications from the monitoring;
- that the monitoring does not occur on an automated basis and introduces human intervention;
- preventing the use of the information for performance evaluation purposes;
- not using contractors outside the EEA and carrying out a proper assessment of any data processor you use, including their security capability;
- applying a data retention policy so that data is not retained indefinitely;
- restricting monitoring to limited periods of time; and
- informing employees about the existence of the tool, why the business needs it and how it will be used.
After discussion with the relevant teams, the Head of HR is reluctant to introduce the mitigation measures you recommend. You tell the Head of HR that she cannot proceed with the tool as you need to consult your Lead Supervisory Authority before the processing taking place. When she disagrees, you point out (respectfully) that severe breaches of the GDPR can result in substantial fines. The Head of HR agrees to reconsider.
There may be wider data privacy implications that would need to be considered depending on your jurisdiction, including a requirement to consult unions or works councils.