This article is the final one in our series on HR and the General Data Protection Regulation (GDPR). In it we look at what a DPIA is, when one is needed and what information it must include.
What is a DPIA and why is it important?
The concept of a DPIA (sometimes also known as a privacy impact assessment or PIA) may already be familiar to many employers and organisations (particularly those in the public sector). Essentially, they are a risk assessment of the proposed processing of personal data by an organisation. They are intended to help an organisation identify the most effective way to comply with its data protection obligations, identify and mitigate risks to data and meet individuals' expectations of privacy.
For a number of years, DPIAs have been advocated as best practice by the UK's Information Commissioner's Office (ICO) and many organisations carry out DPIAs as a matter of routine. However, when the GDPR comes into force in May 2018, DPIAs will be mandatory in certain circumstances, and will of course support the key accountability principle.
As we have indicated in previous articles, under the GDPR, non-compliance with GDPR requirements could lead to fines imposed of up to 20million (EUR) or 4% of a group's worldwide turnover, whichever is greater. However for DPIAs this is in a lower category of up to 10million (EUR) or 2% of a group's worldwide turnover, whichever is greater. It is therefore important that organisations fully understand their obligations under the new legislation.
When is a DPIA required?
In our previous article HR and GDPR: New concepts we explained that the GDPR seeks to change how organisations think about data protection through different principles, such as privacy by design. An integral part of this approach is that a DPIA will now be mandatory each time an organisation plans or proposes to introduce a new technology, project, activity or process that is likely to result in a "high risk" to the data protection rights of individuals. This will also apply when an organisation is planning revisions to existing technology, projects, activities or processes that will have the same effect. This applies to operations whether they include employee personal data or other forms of personal data.
From a HR perspective, "high risk" is likely to apply when the extent and frequency of the proposed technology, project, activity or process adversely affects or interferes with the data protection rights of employees under the GDPR. Examples include: the large scale processing of special categories of data; personal data relating to criminal convictions; and large scale, systematic monitoring of public areas (capturing CCTV).
Recent guidelines published by the Data Protection Working Party ("the Guidelines") consider DPIAs and discuss how organisations should determine whether the proposed activity is likely to result in a "high risk". It advises that, in making the determination, the existence of the following should be considered:
- Evaluation or scoring, including profiling;
- Automated decision-making;
- Systematic monitoring of individuals (from a HR perspective this is likely to include an employer's decision to introduce or extend the scope of CCTV monitoring of employees);
- Processing sensitive data (for example in relation to employees' religious or political beliefs or trade union activities);
- Processing data on a large scale (for example the implementation of a new IT system for storing and accessing employee data);
- Matching or combining datasets;
- Processing data concerning vulnerable individuals;
- Innovative use or application of technological or organisational solutions;
- Data transfer across borders outside the European Union (for example transferring employee data to a third party service provider that is outside of the European Union);
- When the processing in itself "prevents data subjects from exercising a right or using a service or a contract".
The guidelines indicate that, as a very general rule of thumb, if the proposed technology, project, activity or process meets at least two of the above criteria, it should be considered high risk and therefore will require a DPIA.
A DPIA must be carried out prior to the implementation of the technology, project, activity or process and ideally as early as practical in the design process. The DPIA will also need to be updated and/or steps repeated as the process develops, particularly if issues are identified which may affect the severity or likelihood of risk to the data protection rights of affected individuals.
Who is responsible for carrying out the DPIA?
A data controller (and the data protection lead in particular) is ultimately responsible and accountable for ensuring that a DPIA is carried out. However it can be prepared by someone else, inside or outside of the organisation. For example, if there is a senior manager in charge of the implementation of a new data processing activity, they may be best placed to oversee conduct of the DPIA on a day-to-day basis given their proximity to the project. When preparing the DPIA, an organisation must also seek the advice of their data protection officer (if one has been appointed), though the data protection officer will act in an advisory role.
What must the DPIA include?
A DPIA will essentially be a step-by-step review of the new technology, project, activity or process. It will need to examine each stage of the data processing activity and identify/address all of the risks involved in that activity.
The GDPR sets out the following minimum required features of a DPIA:
- A description of the envisaged processing operations and the purposes of the processing - for example, explaining what personal data will be used, who will it be obtained from or disclosed to, who will have access to it;
- An assessment of the necessity and proportionality of the data processing;
- An assessment of the risks to the rights of the individuals affected (for example, financial loss, distress or the risk that inadequate disclosure controls could increase the likelihood of personal data being shared inappropriately); and
- The measures envisaged to address the risks and demonstrate compliance with the GDPR. (Some risks may be able to be eliminated altogether or reduced, however most activities will have some impact on privacy and will require an organisation to accept some level of risk.)
Consultation with a broad range of stakeholders will also be an integral part of the DPIA process. Internally, this will mean speaking with the relevant departments involved with the proposed technology, project, process or activity. For example the IT team, the HR department or senior management who will be able to highlight risks and solutions based on their own area of interest or expertise. Consultation with external stakeholders will also provide an organisation the opportunity to get input from those who will ultimately be affected by the data processing activity. (Where the affected individuals are employees, any recognised employee forum or trade unions will need to consulted.)
The GDPR does not specify a particular process that must be followed to carry out a DPIA, although there are a number of different established processes. Helpfully, Annex 1 of the guidelines contains a list of links to examples of existing DPIA frameworks (including the ICO PIA code of practice) and to international standards containing DPIA methodologies. Annex 2 of the guidelines also sets out the criteria for an acceptable DPIA by reference to the relevant GPDR provisions.
What are the next steps?
Once the DPIA is complete the organisation will need to ensure any steps recommended as a result of the assessment are integrated into the project plan (in respect of the proposed technology, project, activity or process) and more crucially, implemented.
If an outcome of the DPIA is that a risk cannot be mitigated, reduced or eliminated organisations will need to consider whether to reject the activity or to accept the risk. Any serious risks identified by the DPIA may need to be reported to the ICO to seek its opinion as to whether the intended processing operation complies with the GDPR.
The DPIA will need to be signed off at an appropriate level, e.g. by the board, a managing partner, risk partner etc. Where the DPO's guidance is not followed then the organisation will need to document why.
The organisation's data inventory will also need to be updated to reflect the changes in processing operations, so that the data inventory remains an accurate overview of the organisation's processing operations, and it would be useful to include links to the DPIA undertaken so it can be located easily, again supporting the accountability principle.
Organisations may also wish to consider publishing the report (or a summary of the content excluding any confidential information) to evidence and promote the organisation's compliance with the key GDPR principles of transparency and accountability.