Most organisations have moved on from the implementation phase of their GDPR project to deal with “business as usual” queries. In this, our second “GDPR bitesize” series, we discuss a number of common questions on the impact of the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 in day-to-day HR practice, focusing on the question of whether an employer needs to carry out a Data Privacy Impact Assessment in the context of a one-off surveillance exercise on one person.
The Data Privacy Impact Assessment (“DPIA”) is a process to help data controllers systematically analyse, identify and minimise the data protection risks of a project or a plan. It supports the aims of accountability and data protection by design and default, and reflects the new focus on taking a risk-based approach to data privacy.
A DPIA is a legal requirement to be carried out prior to any type of processing that is likely to result in a “high risk to the rights and freedoms of individuals”. Failure to carry out a DPIA when required may give rise to enforcement action from the ICO, including a fine of up to €10m or 2% of global annual turnover if higher.
Determining whether processing is “high risk” means assessing both the likelihood and the severity of potential harm. The key question is whether there are red flags which point to a potential for high risk and which mean a DPIA is required.
Article 35(3) of the GDPR lists three types of processing that automatically require a DPIA:
- Systematic and extensive profiling with significant effects
- Large scale use of sensitive data
- Public monitoring
The Article 29 working party of EU data protection authorities (WP29) has also published a list of nine criteria which may indicate high risk processing:
- Evaluation or scoring
- Automated decision-making with legal or similar significant effect
- Systematic monitoring
- Sensitive data/data of a highly personal nature
- Data processed on a large scale
- Matching or combining datasets
- Data concerning vulnerable data subjects
- Innovative use or application of new technological or organisational solutions
- Preventing data subjects from exercising a right or using a service or contract
Although not a strict rule, a combination of two or more of these factors indicates a DPIA is required. However, the ICO states that if only one factor is present a DPIA may be required and it would be good practice to carry one out.
The ICO have published a list of ten more types of processing that automatically require a DPIA (in addition to the three provided under the GDPR above):
- Innovative technology*
- Denial of service
- Large-scale profiling
- Genetic data*
- Data matching
- Invisible processing*
- Targeting of children or other vulnerable individuals
- Risk of physical harm
*indicates that a DPIA is only automatically required where this type of processing is combined with any of the criteria from the nine listed by the WP29 above.
Do we need to carry out a DPIA in the context of a one-off surveillance exercise on one person?
Even a one-off surveillance exercise carried out on one person may involve:
- Processing of sensitive data (e.g. health) or data of a highly personal nature
- Data concerning vulnerable data subjects (which includes employees where a power imbalance means they cannot easily consent or object to the processing of their data by their employer)
- The application of new technology (e.g. wearables)
- Tracking someone’s behaviour or location, including but not limited to the online environment.
On this basis we consider that a DPIA would be required in these circumstances. Importantly, the ICO states that if there is any doubt, a DPIA is recommended to ensure compliance and encourage best practice.
That said, a data controller may be able to avoid carrying out a DPIA if the nature, scope, context and purposes of the processing of data (as part of the surveillance) are very similar to processing for which a DPIA has already been carried out.
If it is decided that there will be no DPIA, the ICO recommends that the decision making process, and the reasons for not going ahead with a DPIA be recorded in case of challenge.