As part of their GDPR 12 Month Countdown series, Razia Begum and Rachel Ashwood answer key questions about conducting Data Protection Impact Assessments in connection with HR data.
1. What is a Data Protection Impact Assessment (‘DPIA’)?
Many organisations may already be familiar with the concept of a Privacy Impact Assessment (‘PIA’) because it is a process already conducted as a matter of good business practice. Just like a PIA, a Data Protection Impact Assessment (“DPIA”) under the GDPR is a process which helps organisations to identify and mitigate the risks associated with the processing of personal data; for example, a PIA may help an employer to assess whether the benefits of new HR software outweigh any potential risk to the privacy of its employees.
However, there are many important differences between DPIAs and PIAs, as set out below, which employers should familiarise themselves with. Whilst the GDPR does not define a DPIA, it does set out the circumstances in which carrying out a DPIA is mandatory and sets out the core requirements of a DPIA. Employers that fail to comply with DPIA stipulations risk falling foul of potential financial penalties.
2. When do I have to carry out a DPIA?
Under the GDPR, employers are obliged to carry out a DPIA whenever the processing of personal data is “likely to result in a high risk to the rights and freedoms of natural persons”. In practice, this means taking an initial view of both the categories of personal data involved and the nature and impact of the processing activity.
According to EU-level guidance from the Article 29 Data Protection Working Party (‘WP29’), it is important to consider, amongst other things, whether the processing activity involves:
- evaluation or scoring (including profiling or predicting information based on the data subject’s performance at work);
- automated decision-making with legal or similar significant effect (for example, where the processing could lead to discrimination against individuals);
- systematic monitoring (such as CCTV or work station monitoring);
- special categories of data (including personal data about racial or ethnic origin, a data subject’s health or their criminal convictions);
- new technology (such as finger print or face recognition software to access the workplace); and/or
- data concerning vulnerable subjects (which may include employees) where, for example, there is an imbalance of power between the employer as a data controller and the employee as a data subject and those employees don’t have a genuine option to consent to or object to the processing of their data.
The more criteria (above) the processing activity involves, the more likely it is a DPIA should be conducted. WP29 suggests that any processing operation meeting two or more of its criteria should require a DPIA. For example, if an employer decides to monitor its employees’ internet use, that may meet the ‘systematic monitoring’ and ‘data concerning vulnerable subjects’ criteria.
Employers should consider DPIAs at the outset of any new project involving personal data. Respecting employee privacy and understanding the potential risks to their personal data should be addressed at the planning stage. DPIAs should therefore not be an afterthought but rather something to be done in advance of any processing.
Determining whether a DPIA is required should be at the forefront of employers’ minds when contemplating any new HR projects that will take effect after May 2018. However, WP29 also recommends that as a matter of good practice, they should also be considered for processes already in existence at that date. Further, employers should recognise that a DPIA is a live and fluid process, so should be reviewed periodically. WP29 suggests this should take place every 3 years (or sooner if the risks posed to personal data increase or the context of the processing changes).
3. How do I conduct a DPIA and who is responsible for it?
A DPIA must be a genuine evaluation of the risks posed to employees and outline the measures that an employer envisages taking to address them. Beyond this, there is no strict form a DPIA must take; instead what is appropriate will depend (amongst other things) upon the nature and complexity of the processing, the potential risks posed by the processing, the resources of the employer and any further guidelines that may be put in place (for example, any guidelines related to a specific industry sector).
In conducting a DPIA, organisations should ask themselves the following questions:
- What does the processing activity involve?
- What is the purpose of the processing?
- Is it necessary and proportionate given the risks involved?
- What measures are in place to mitigate the risks?
- Does the processing activity comply with the GDPR in all other respects?
It is ultimately the responsibility of the employer as a data controller to conduct a DPIA, though this must be done in consultation with the Data Protection Officer (if the organisation has appointed one). In certain circumstances, it may also be appropriate for employers to consult with “data subjects or their representatives” as part of the DPIA. This is a judgement call for employers to make but it may be appropriate to seek the input of any recognised trade union or other staff representatives, as part of carrying out the DPIA.
Finally, if the processing activity is carried out entirely or partly by a data processor (such as a payroll provider or a background checking company), the processor should provide the controller with any necessary assistance or information.
4. What should I do once I have conducted the DPIA?
There is no legal requirement to publish the outcome of a DPIA, though employers as controllers should document the process undertaken. Any record should include the privacy issues and potential solutions identified, as well as the reasons why a particular processing activity went ahead or was abandoned. It is important to keep a paper trail in the event of a claim and/or investigation by the supervisory authority.
In the event that the DPIA shows high “residual risks” to employees, the employer is obliged to consult with the relevant supervisory authority before any processing takes place. For most UK companies, this will be the Information Commissioner’s Office (‘ICO’). Broadly speaking, a high residual risk is one that cannot be sufficiently addressed by the measures put in place to protect the rights of the data subjects.
Although a DPIA is a good way to demonstrate compliance with the GDPR, it should not be seen as a mere tick-box exercise. By identifying the risks posed to personal data alongside the safeguards in place, employers can determine whether the processing activity is worth undertaking. A DPIA is not a way to justify processing at all costs – it is a transparent way of assessing the risks to key stakeholders and implementing and enforcing appropriate measures to address any privacy issues raised.
5. Is there anything else I need to know?
- Multiple DPIAs: As a small saving grace, employers are not required to conduct multiple DPIAs if the processing activities are sufficiently similar in terms of the purpose, context or risks involved. For example, one single DPIA should be sufficient to cover the use of CCTV across an employer’s UK offices, unless the risks posed or nature of the surveillance is different across those offices.
- Guidance: In due course, the European Data Protection Board will be issuing guidelines, recommendations and best practice to ensure compliance with the GDPR. Such assistance is anticipated in connection with DPIAs, although no indication has been provided as to when that can be expected.
- Mandatory DPIA: Supervisory authorities such as the ICO must make public a list of the types of process operations which are subject to mandatory Conversely, the GDPR also states that supervisory authorities may list the circumstances where DPIAs are unecessary. Whilst the ICO is yet to publish either list, you can follow our GDPR toolkit for HR practitioners page to keep up-to-date with the latest developments.