Alex Franch

How to Create a Data Protection Impact Assessment (DPIA)

How to Create a Data Protection Impact Assessment (DPIA)

Share this content

This is part of your accountability obligations under the GDPR. If you’re already processing data and you haven’t checked if you need a DPIA, you must do so and record the outcome.

You need a DPIA before you introduce new technologies such as fingerprint or face recognition software to allow employees to get access to the workplace.

Steps you need to perform while conducting a DPIA

  1. Identify the need for a DPIA
  2. Describe the processing
  3. Consider consultation
  4. Assess necessity and proportionality
  5. Identify the risks and the measures to avert the risk
  6. Identify the measures to avert risk Against each risk identified, record its source.
  7. Sign off and record outcomes

Step 1: Identify the need for a DPIA

Lawyer version:

A DPIA is necessary if processing data is “likely to result in a high risk to the rights and freedoms of natural persons”.

English version:

You must assess if processing data is likely to pose a threat to individuals' freedom or their rights.

For example - A bus operator plans, to implement onboard cameras to monitor drivers’ and passengers’ behaviour. Although the bus operator does so in good faith, we must consider the implications for drivers and passengers as these may pose a high risk of violating people's rights.

When do we need a DPIA 100%?

When we perform any of the following:

  • Profiling - classifying individuals after analysing their characteristics. The profiles can then be used to make decisions or form opinions about individuals and their behaviour.
  • Example - Using social media posts to analyse the personalities of car drivers by using an algorithm to analyse words and phrases which suggest ‘safe’ and ‘unsafe’ driving to assign a risk level to an individual and set their insurance premium accordingly.
  • Processing special category of data on a large scale - ,special category data (sometimes called sensitive data e.g. political opinions, medical data...) is a type of data that requires a higher level of protection due to its sensitive and personal nature. Additionally, we must select an Article 9 legal justification (legal basis) you can find more about this here (INCLUDE BLOGPOST TO DATA MAPPING).
  • Example - Processing the biometric data of employees to grant them access to a building like an office
  • Personal Data relating to criminal convictions - If you plan to process the personal data related to criminal convictions of individuals, the processing should fall within the ,28 conditions provided under the GDPR. In cases where the processing falls outside of the 28 conditions, you need to have the official authority to do so. In such situations, a DPIA is of the essence.
  • Public monitoring - This could include a company systematically monitoring its employees’ activities, including the monitoring of the employees’ work station and internet activity, and is cited as high risk because the personal data could be collected in circumstances where individuals may not be aware of who is collecting their data or how it will be used, and they may not be able to avoid being subject to such processing in a public (or publicly accessible) space.
  • Automated decision-making with legal or similarly significant effects.
  • Systematic monitoring.
  • Preventing data subjects from exercising a right - for example, the right to be forgotten.
  • Using Innovative technology (e.g. AI) - Processing involving the use of innovative technologies, or the novel application of existing technologies (including AI).
  • Denial of service - Decisions about an individual’s access to a product, service, opportunity, or benefit that is based to any extent on automated decision-making (including profiling) or involves the processing of special category data.
  • Large-scale profiling - Any profiling of individuals on a large scale.
  • Biometrics - Any processing of biometric data. A DPIA is required where this processing is combined with any of the criteria from the European guidelines.
  • Genetic data - Any processing of genetic data, other than that processed by an individual GP or health professional for the provision of health care directly to the data subject. A DPIA is required where this processing is combined with any of the criteria from the European guidelines.
  • Data matching - Combining, comparing or matching personal data obtained from multiple sources.
  • Invisible processing (data not obtained directly from the data subject) - Processing of personal data that has not been obtained directly from the data subject in circumstances where the controller considers that compliance with Article 14 would prove impossible or involve a disproportionate effort. A DPIA is required where this processing is combined with any of the criteria from the European guidelines.
  • Tracking - Processing involves tracking an individual’s geolocation or behaviour, including but not limited to the online environment. A DPIA is required where this processing is combined with any of the criteria from the European guidelines.
  • Targeting of children or other vulnerable individuals - The use of the personal data of children or other vulnerable individuals for marketing purposes, profiling, or other automated decision-making, or if you intend to offer online services directly to children.
  • Risk of physical harm - Where the processing is of such a nature that a personal data breach could jeopardise the (physical) health or safety of individuals.

The process of identification involves summarising why you need a DPIA.

While identifying the need for a DPIA refer to the following:

  1. Explain broadly what the project aims to achieve and what type of processing it involves.
  2. Refer or look into other documents, such as a project proposal to gain clarity.
  3. Ask your data processors to help you understand and document what they use data for and identify any associated risks.
  4. Request the Data Protection Officer to provide a detailed advice

The process of identification involves summarising why you need a DPIA.

While identifying the need for a DPIA refer to the following:

  1. Explain broadly what the project aims to achieve and what type of processing it involves.
  2. Refer or look into other documents, such as a project proposal to gain clarity.
  3. Ask your data processors to help you understand and document what they use data for and identify any associated risks.
  4. Request the Data Protection Officer to provide a detailed advice

Step 2: Describe the processing

Explain in detail the four major aspects of processing.

  • Nature of the processing - what do you plan to do with the personal data? It includes how you collect the data, how you store the data, how you use the data. You may refer to your data map on the Privasee Platform for this.
  • Scope of the processing - How "intense" is the use of this data. Is it a lot, a little, very sensitive not so much? Answer questions like: Are you going to process sensitive data or not? How long are you going to keep the data for? How many individuals are going to be affected?
  • Context of the processing - The context of processing provides a wider picture of the processing activities. Including the internal and external factors, that might affect the impact of the processing.
  • Example - The nature of your relationship with the individuals, whether these individuals include children or other vulnerable people. Would they expect you to use their data in this way?
  • Purpose of the processing - It is the reason why you want to process the personal data or the benefit which you want to achieve. This should include - your legitimate interests, the intended outcome for individuals, expected benefits for you, or for society as a whole.

Step 3: Consider consultation

It is a good practice to seek and document the views of the Individuals or their representatives. You should design a consultation process and seek the views of:

  • A. Those particular individuals whose data will be used for processing.
  • B. Their legal representatives
  • C. Any other relevant stakeholders

You should consult all relevant internal stakeholders, in particular anyone with responsibility for information security or a processor, legal advisors, DPO, etc.

If you have to consult with the ICO (UK Privacy Regulator) then click here.

Step 4: Assess necessity and proportionality

Perform an assessment to identify:

  • The lawful basis used to justify the processing of the data.
  • Example - we may say that we may choose consent as we want individuals to be aware of such processing.
  • if the desired outcome or the purpose can be achieved in any other way that may not require such high-risk activity.
  • Example - asking users for a one-time location instead of tracking them.

You can use the image below for reference on what to assess:

Step 5: Identify the risks and the measures to avert the risk

  • Consider the potential impact on individuals and any harm or damage your processing may cause whether physical, emotional or material.
  • Include associated compliance and corporate risks as necessary.
  • Categorise the risks in terms of their likelihood, severity and overall risk. For example, analyse whether the processing contributes to discrimination or loss of control over the use of personal data.

Step 6: Select measures to reduce the identified risks and record their source.

You should then consider and evaluate different options to reduce the level of risk.

  • Example: deciding not to collect certain types of data or reducing retention periods to prevent data loss.

Step 7: Sign off and record outcomes

Set out the steps your organisation has taken to remedy any issues raised during your assessment.

You should then record:

  1. what additional measures you plan to take;
  2. whether each risk has been eliminated, reduced, or accepted;
  3. the overall level of ‘residual risk’ after taking additional measures; and
  4. whether you need to consult the ICO or relevant regulator.
  5. Any reasons for going against the views of individuals or other consultees

You must integrate the outcomes of your DPIA into your project plans.

Template

A sample of the ICO template can be found here.

Disclaimer

The information presented in this document is not the same as legal advice, where a lawyer applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. You may not rely on this as legal advice, nor as a recommendation of any particular legal understanding.

February 15, 2022

Frequently asked questions

Do I need to connect all my tools and third parties?

We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools.  There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.

What is the scope of my privacy policy?

Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!

Do I need to replace my current policy for the privacy portal?

We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.

Do I need help filling out my details?

Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.

Why can’t I just use a template and add it to my website myself?

A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.

What if you don’t have the tools and third parties that I have?

We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.

Which plan should I choose?

Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.

Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.

Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.

Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.

Feel free to get in touch to discuss our GDPR Compliance Software solution.

How easy is it to set up?

Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!

What size companies is Privasee aimed at?

Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.

I already have a privacy policy, do I need Privasee?

You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.

Still have questions?

Support details to capture customers that might be on the fence.