The General Data Protection Regulation (GDPR) will come into force in about 10 months. There is plenty to learn and do before then including:
Raising awareness about GDPR at all levels
Reviewing how you address records management and information risk in your organisation.
Reviewing compliance with the existing law as well as the six new DP Principles.
Revising privacy polices in the light of the GDPR’s more prescriptive transparency requirements.
Reviewing information security polices and procedures in the light of the GDPR’s more stringent security obligations particularly breach notification.
Writing polices and procedures to deal with new and revised Data Subject rights such as Data Portability and Subject Access.
Considering whether you need a Data Protection Officer and if so who is going to do the job.
As well as:
Considering when you will need to do a Data Protection Impact Assessment (DPIA).
Article 35 of GDPR introduces this concept. DPIAs (also known as Privacy Impact Assessments) are a tool which can help Data Controllers identify the most effective way to comply with their GDPR obligations and reduce the risks of harm to individuals through the misuse of their personal information. A well-managed DPIA will allow Data Controllers to identify and fix problems at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.
DPIAs are important tools for accountability, as they help Data Controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance (see Article 24)4.)
When is a DPIA needed?
Carrying out a DPIA is not mandatory for every processing operation. A DPIA is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)).
Such processing, according to Article 35(3)), includes (but is not limited to):
systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals.
large scale processing of special categories of data or personal data relating to criminal convictions or offences.
large scale, systematic monitoring of public areas (CCTV).
So what other cases will involve “high risk” processing that may require a DPIA? In May, the Article 29 Working Party published its data protection impact assessment guidelines for comments. We are still waiting for the final version but I don’t think its is going to change much. It sets out the criteria for assessing whether processing is high risk. This includes processing involving:
Evaluation or scoring, including profiling and predicting especially from aspects concerning the Data Subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements
Automated decision-making with legal or similar significant effects
Systematic monitoring of individuals
Personal Data on a large scale
Datasets that have been matched or combined
Data concerning vulnerable Data Subjects
Innovative use or application of technological or organisational solutions
Data transfers across borders outside the European Union
Data that Prevents Data Subjects from exercising a right or using a service or a contract
What information should the DPIA contain?
The GDPR sets out the minimum features of a DPIA (Article 35(7), and Recitals 84 and 90):
A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the Data Controller.
An assessment of the necessity and proportionality of the processing in relation to the purpose.
An assessment of the risks to individuals.
The measures in place to address risk, including security, and to demonstrate that the Data Controller is complying with GDPR.
A DPIA can address more than one project.
The ICO’s Code of Practice on Privacy Impact Assessments will assist as well as the Irish Data Protection Commissioner’s Guidance.
When should a DPIA be conducted?
DPIA’s should be conducted prior to the processing operation commencing. DPIAs are an integral part of taking a Privacy by Design approach which is emphasised in Article 25. The DPIA should be treated as a continual process, not a one-time exercise. Data Controllers should start it early and update it throughout the lifecycle of the project.
The GDPR comes into force on 25th May 2018, and DPIAs are legally mandatory only for processing operations that are initiated after this date. Nevertheless, the Article 29 Working Party strongly recommends carrying out DPIAs for all high-risk operations prior to this date.
Who should conduct the DPIA?
A DPIA may be conducted by the Data Controller’s own staff or an external consultant. Of course the Data Controller remains liable for ensuring it is done correctly. The Data Protection Officer’s advice, if one has been designated, must also be sought as well as the views (if appropriate) of Data Subjects or their representatives.
If the DPIA suggests that any identified risks cannot be managed and the residual risk remains high, the Data Controller must consult with the Information Commissioner before moving forward with the project. Regardless of whether or not consultation with the ICO is required, the Data Controller’s obligations of retaining a record of the DPIA and updating the DPIA in due course remain.
Even if ICO consultation is not required, the DPIA may be reviewed by the ICO at a later date in the event of an audit or investigation arising from the Data Controller’s use of personal data.
What are the risks of non-compliance?
Failure to carry out a DPIA when the processing is subject to a DPIA (Article 35(1) and (3)), carrying out a DPIA in an incorrect way (Article 35(2) and (7) to (9)), or failing to consult the ICO where required (Article 36(3)(e)), can each result in an administrative fine of up to 10 million Euros, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.