23 March 2018

Paul Motion considers the Information Commissioner’s new draft guidance on Data Protection Impact Assessments, issued on 22 March 2018.

One of the new requirements of the GDPR is an obligation to do a Data Protection Impact Assessment (DPIA) before carrying out types of processing “likely to result in high risk to individual’s interests”. If the DPIA identifies a high risk that the business cannot mitigate, the business must consult the ICO. This is a key element of the GDPR’s new focus on “accountability” and “data protection by design”.

Although some organisations already carry out Privacy Impact Assessments (PIAs) most businesses will at least need to review their existing processes and some businesses will need to introduce entirely new processes. DPIAs are now mandatory in some cases and there are specific legal requirements for content in process. The Information Commissioner’s Office (ICO) has just published new guidance on DPIAs. The guidance is out for consultation until 13 April but is likely to be close to final form.

Probably the key issue for any business in deciding whether or not to do a DPIA is to identify the concept of “risk”.

The new guidance provides some pointers. Unhelpfully, there is no explicit definition of “risk” in the GDPR. Obviously risk includes risks to privacy and data protection rights but it also impacts upon other fundamental rights and interests.

Recital 75 of the GDPR links risk to the concept of potential harm or damage to individuals

“The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from data processing which could lead to physical material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data provided by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data”.

The last few words are important because although there have not been many cases where compensation was awarded for distress caused by a breach of the Data Protection Act, in those cases where compensation has been awarded, loss of control over personal data was a key factor. The focus is therefore on any potential harm to individuals.

When do we need to do a DPIA?

If you plan to do any of the following:

• Use systematic and extensive profiling with significant effects;
• Process special category or criminal offence data on a large scale;
• Systematically monitor publicly accessible places on a large scale;
• Use new technologies;
• Use profiling or special data to decide on access to services;
• Profile individuals on a large scale;
• Process biometric data;
• Process genetic data;
• Match data or combine data sets from different sources;
• Collect personal data from a source other than the individual without providing them with a privacy notice (“invisible processing”);
• Track individual’s location or behaviour;
• Profile children or target marketing or online services at them;
• Process data that might endanger the individual’s physical health or safety in the event of a security breach. 

The ICO says that even if there is no specific indication of likely high risk, DPIAs are still good practice for any major new project involving use of personal data.

The ICO’s consultation begins to focus the meaning of “high risk”. Risk in this context is about the potential for any significant physical material or non-material harmed to individuals. You need to consider both the likelihood and severity of any potential harm to individuals. Risk implies more than remote chance of harm. “High” risk implies a higher threshold because harm is more likely or because potential harm is more severe or a combination.

Nor does the GDPR define “likely to” result in high risk. This seems to point to a more high level screening test. There are features which point to the potential for high risk. Look for any red flags which indicate you need to do a DPIA to look at the risk in more detail.

The ICO guidance sets out 10 types of processing which the ICO thinks automatically require a DPIA. This list might be modified in the course of the consultation but the current categories are –

1. New technologies – processing involving the use of new technologies or novel application in existing technologies (including AI).
    
2. Denial of service: decisions about an individual’s access to a product, service, opportunity or benefit which is based on automated decision making (including profiling) or processing of special category data.
    
3. Large scale profiling - any profiling of individuals on a large scale.
    
4. Biometrics – any processing of biometric data.
    
5. Genetic data – any processing of genetic data other than that processed by an individual GP or health professional, for the provision of healthcare direct with the data subject.
    
6. Data matching: combining, comparing or matching personal data obtained from multiple sources.
    
7. Invisible processing: processing of personal data that has not been obtained direct from the data subject in circumstances where the controller considers the compliance with Article 14 would prove impossible or involve disproportionate effort. Article 14 requires the provision of privacy information at the point of first contact with the individual.
    
8. Tracking: processing which involves tracking on an individual’s geolocation or behaviour including but not limited to the online environment.
    
9. Targeting children or other vulnerable individuals: use of the personal data of children or other vulnerable individuals for marketing purposes, profiling or other automated decision making or if you intend to offer online services directly to children.
    
10. Risk of physical harm where processing is of such a nature that personal data could jeopardise the physical health or safely of individuals. The term “physical” is up for discussion. 

In addition to the ICO, the EU’s Article 29 Working Party which provides much guidance on data protection matters, has also published guidelines with 9 criteria which may act as indicators of likely high risk processing. They are:

• Evaluation or scoring;
• Automated decision making with legal or similar significant effect;
• Systematic monitoring;
• Sensitive data or data of a highly personal nature;
• Data processed on a large scale;
• Matching or combing data sets;
• Data concerning vulnerable data subjects;
• Innovative use or applying new technologies or organisational solutions;
• Preventing data subjects from exercising a right or using a service or contract.

In most cases a combination of two of these factors indicates the need for a DPIA although this is not a strict rule.

If you reach the view your organisation does *not* need to carry out a DPIA, you need to be absolutely confident of your reasons for not doing so and you should be able to justify a decision not to carry out a DPIA. This should be documented and sufficient information contained to allow an understanding of why the decision was taken. It is stressed that the ICO’s strong position on DPIAs is that the business should err on the side of caution and that DPIAs are best practice where they are not already mandatory.

The ICO’s guidance also contains detailed discussions about some of the terms used in the GDPR in relation to DPIAs. Further reading of the guidance is recommended since the discussion covers “new technologies, “systematic and extensive”, “significantly effect” and “large scale”.

There are some exceptions to the requirement to carry out a DPIA. These are –

1. If you are processing on the basis of legal obligation or public task however there are strict limitations on this exception and there must be a clear statutory basis.
    
2. You have already done a substantially similar DPIA.
    
3. The ICO issues a list of processing confirmations which don’t require a DPIA. No such list has yet been issued. 

How do we do a DPIA?

The ICO sets out 9 stages:

1. Identify a need for a DPIA.
2. Describe the processing.
3. Consider consultation.
4. Assess necessity and proportionality.
5. Identify and assess risks.
6. Identify measures to mitigate risks.
7. Sign off and record outcomes.
8. Integrate outcomes into plan.
9. Keep under review.

The draft DPIA guidance considers all of these in more detail.

Who should be involved in the DPIA?

The ICO recommends the following people should be involved and our advice would also be to keep the team lean –

1. The organisation’s data protection officer, if it has one.
    
2. Information security staff.
    
3. Any processors the organisation uses.
    
4. Legal advisers or other experts where relevant.

BTO’s Data Protection Team has very significant experience of advising businesses in relation to the GDPR and in preparing guidance and drafting process documentation tailored to the operation of the organisation and the requirements of the GDPR.

Paul Motion, Partner & Head of Data Protection Team

For further information about the matters raised in this blog/article, please contact Paul Motion at prm@bto.co.uk or Lynn Richmond at lyr@bto.co.uk, T: 0131 222 2939