When do you need a Data Protection Impact Assessment?
Changes to the way you process data, particularly through the introduction of new technology, could compromise individual privacy and data protection rights. An effective strategy for managing this risk would be to conduct a Data Protection Impact Assessment (‘DPIA’).
What is a DPIA?
Carrying out a DPIA is a requirement where the type of processing is likely to place the rights and freedoms of individuals at high risk. In these circumstances, it is mandatory for businesses and organisations to conduct a DPIA in accordance with article 35(1) of the UK General Data Protection Regulation (‘UK GDPR’).
When is a DPIA needed?
Conducting a DPIA allows you to identify and fix any problems at an early stage of a project. DPIAs are therefore a vital part of a data protection strategy when designing a new project or when making changes to an existing system.
The UK government failed to carry out a DPIA before rolling out the ‘Test and Trace’ programme last year. Despite the need for rapid implementation during the pandemic, this was a significant breach of current UK GDPR rules where personal data is collected on this sort of vast scale.
The most likely circumstances where a DPIA is needed include the use of:
- ‘innovative’ technology (e.g. artificial intelligence) or existing technology deployed in a new way
- automated decision-making (making a decision without human involvement) to determine an individual’s access to a product, service, opportunity, or benefit
- large scale profiling of individuals. Profiling analyses aspects of an individual’s personality, behaviour, interests and habits to make predictions or decisions about them
- special category data, such as health or medical data or information about someone’s racial or ethnic original, political opinions or sexual orientation
- biometric data, including the use of fingerprint or retinal scanners in the workplace
- genetic data
- data matching, where combining, comparing, or matching personal data is obtained from multiple sources
- tracking devices to record individuals’ location or behaviour, such as tachographs within company vehicles or CCTV monitors in a warehouse. This could also cover electronic surveillance of employee activity whilst at work (such as monitoring internet and email usage).
However, even in situations where a high risk is not identified, it should be regarded as good practice for an employer, business or organisation to complete a DPIA as this gives confidence in the organisation’s decision-making processes to employees and stakeholders.
Implications for working practices post-pandemic
The pandemic has prompted many business and individuals to adapt their processes and systems to enable a secure return to the workplace or facilitate hybrid working arrangements. As a result, it may be timely for employers to consider if they need to conduct a DPIA.
For example, certain sectors may now need to hold additional personal information about their employees. This might include details of their vaccination status, Covid test results and other related health and safety data. However, such initiatives could pose a risk to data protection rights.
The Information Commissioner’s Office (ICO) have a standard DPIA template which can be found here. However, to be effective, the DPIA should be tailored to your particular business needs. If you would like further advice on how to approach this evaluation, please contact Charlotte Burroughs at [email protected].