How to get buy-in for DPIAs

February 2022

How do we get people engaged with Data Protection Impact Assessments?

DPIAs often get a bad rap. Privacy people often say their project managers and team leaders don’t understand and don’t like them.  They’re too onerous, they get started but often linger incomplete.

So, how do you get people in the business to understand and play along?

Let’s be clear – risk assessments (and a DPIA is one of these) can be one of the most useful tools in your data protection toolkit. Used properly, they can really help identify, assess and tackle risks before they even see the light of day.

When should you carry out a DPIA?

Just to recap we know we need to conduct DPIAs where our projects, initiatives, system changes and so on, are likely to represent a high risk to those whose data is involved. Note ‘high risk’. You’ll need to take account of the scope, type and manner of the proposed processing.

It’s not always easy to judge where this threshold falls, so some businesses end up carrying out far more DPIAs than needed, whilst others carry out too few. Fortunately the ICO have given examples of processing ‘likely to result in high risk’ to help you make this call.

Regulated sectors, such as financial services & telecoms, have more to think about and may adopt a cautious approach.

Engage with your teams

First rule of DPIA Club is… we MUST talk about it!

Build relationships with the people who ‘do new stuff’ with your data. The people who run development projects and the key stakeholders – such as heads of the main functions which process personal data across your business, e.g. Marketing, Operations, HR, etc. If you have a Procurement team, then target them too.

Ask what projects they have on the horizon. The aim is to make them aware of DPIA requirements and ask them to give you an early ‘heads up’ if they are looking to onboard a new service provider or indeed use data for an innovative new project.

Let them know tech projects and system migrations almost always involve some kind of personal data processing. They should be mindful of the potential for this to lead to privacy risks.

If they think about data protection from the outset it will save valuable time and money in the long run. Save unwelcome hiccups along the line. Give them examples of how things have gone wrong or could go wrong.

You could raise awareness across the business using your intranet, email reminders, posters, drop-in clinics … what ever it takes to get the message across.

A regular dialogue about upcoming technology projects, or using a DPIA screening form (or for larger businesses a technology ‘gating’ process) are good ways to get a heads up on new projects. These will help to quickly identify if a DPIA is needed or not.

Steve Priestly, Head of Data Protection (UK & MET), Travelex:

‘We place a key focus on highlighting to stakeholders of the benefits of early engagement in the DPIA process. Continual collaboration with your stakeholders is also key, understanding what they are trying to achieve. Lastly, ongoing DPIA education and awareness will help in the long-term to imbed a strong data privacy culture.’  

Use a good DPIA template

In my opinion too many businesses use complex and jargon-filled screening questionnaires and DPIA templates, which many people find hard to understand. They ask questions in ‘GDPR-talk’ which people find hard to grasp & answer and they often don’t really help people to identify what privacy risks actually look like.

Take a look at your DPIA template with fresh eyes. If you don’t like it use a better one, or adapt it to fit your business ways of working.

Be prepared for Agile working

So many development projects are Agile now and this requires adapting your approach. You won’t get all the answers you need at the start. Stay close to the project as it evolves and be ready to roll your DPIA in line with scheduled sprints or scrums, but before data migrates. DPIAs – How to assess projects in an Agile environment

DPIA approaches

It’s a good idea to keep tabs on how many data projects are in progress, how many lead to DPIAs and what the status of these is. This means you will know if you need to drum up more engagement or not.

Here are a couple of examples of the approaches taken by different businesses.

Use of technology tools

Stephen Baigrie, Managing Counsel, IT, Procurement & Privacy at Balfour Beatty:

“At Balfour Beatty we use an online privacy compliance platform to manage DPIAs and to enable early stakeholder engagement. We worked with our Group Data Protection Officer and Information Security team to formulate user-friendly assessment templates.

We use a pre-DPIA screening qualifier to help identify if a full DPIA is required and run a working group with Data Protection, Legal and Information Security stakeholders to track DPIAs and vendor due diligence matters.”

“Where appropriate, we adopt a self-service model for DPIA completion to help improve privacy awareness and seek to be agile by continuously improving and evolving our privacy processes.”

An integral part of the change governance process

Christopher Whitewood (CIPP/E, CIPM) Privacy & Data Protection Officer at Direct Line Group:]

“We have mandated that a risk assessment must be conducted as part of our change governance process. Our DPIA is included as part of a single online risk assessment form which allows for an early risk assessment by Privacy, Security and Business Continuity Teams.”

“A simple approach allows business areas to fill out one form with a layered question set to determine where further investigation is needed. The online form has been adapted to consider any data ethical concerns at an early stage, but also has the added bonus of the scored risk assessment to form the basis to drive assurance activity.”

So to conclude, I hope this has given you some fresh ideas how to engage with your colleagues about DPIAs. Good luck!