Data protection impact assesment
What’s new under GDPR?
There is a new obligation to conduct a data protection impact assessment (DPIA) before carrying out processing likely to result in a high risk to individuals’ rights and freedoms. DPIAs form a key part of demonstrating accountability and data protection by design. If we are unable to mitigate the risk we must consult the ICO.
The University uses OneTrust software to carry out its DPIA but in some circumstances may consider the relevant risks and safeguards in another way (e.g. paper format).
What is a DPIA?
A DPIA helps us to analyse in detail the processing helping to identify and minimise data protection risks. These are not only the compliance risks but also broader risks to an individual’s rights and freedoms. Following a DPIA a risk may not be eliminated completely but it will help mitigate or reduce the risk and justify any remaining risk.
DPIAs should consider the potential for harm which can be physical, material and non-material. When evaluating the risk both the likelihood and the severity of any impact need to be taken into consideration.
A DPIA may cover more than one operation where they are similar and a DPIA may take several months of to properly conduct with some projects. It should not be viewed as a single point in time exercise but one that needs to be regularly reviewed.
A group of Data Controllers can also conduct joint DPIAs as with some research which involves several Universities.
When do we need a DPIA?
In short, before you begin processing that is ‘likely to result in a high risk’. You will not know the risk at the outset but certain criteria will indicate that there is a potential for a serious impact on individuals.
Under GDPR we must do a DPIA under the following circumstances where we plan to:
- use systematic and extensive profiling with significant effects;
- process special category or criminal offence data on a large scale; or
- systematically monitor publicly accessible places on a large scale.
The ICO also requires us to do a DPIA if we plan to:
- use innovative technology (in combination with any of the criteria from the European guidelines);
- use profiling or special category data to decide on access to services;
- profile individuals on a large scale;
- process biometric data (in combination with any of the criteria from the European guidelines);
- process genetic data (in combination with any of the criteria from the European guidelines);
- match data or combine datasets from different sources;
- collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
- track individuals’ location or behaviour;
- profile children or target marketing or online services at them; or
- process data that might endanger the individual’s physical health or safety in the event of a security breach.
We also need to consider doing a DPIA for other processing that may be large scale and involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals.
DPIA are considered good practice for any major new project even if a specific high risk has not initially been identified.
Who is responsible for carrying out a DPIA?
DPIAs should be considered at the very start of a project during the planning and development phase and before processing commences. This would usually be by the individual leading the project or someone who has overall responsibility for it. Information Assurance Services (IAS) will assist in completing a DPIA and should be contacted at an early stage.
How is a DPIA carried out?
A DPIA involves a number of stages. Initially a screening questionnaire is completed through the OneTrust software to determine is a full DPIA is required.
If a DPIA is required, then a full questionnaire will need to be completed in OneTrust. This will be used in conjunction with other evaluations e.g. ITS Cloud evaluation. In the case of research using patient data, other governance documentation will also need to be considered.
The DPIA process will require the input of key stakeholders including; ITS; IAS and the Data Protection Officer.