Data Protection Impact Assessments: 10 Tips
How to get your DPIA process on track
Do teams know when a Data Protection Impact Assessment should be conducted? Are you carrying out too many, or too few?
Don’t make DPIAs a onerous box ticking exercise. If DPIAs are solely seen through the prism of compliance, they’ll be seen as burden. They may be attempted half-heartedly or left inadequately completed.
If this is happening it’s time to shout about what a valuable tool they are!
Assessing potential data protection risks from the start of a project, acts as handy warning system for the business and protects those whose person information is involved from unnecessary risks. DPIAs help to identify risks in advance, before they can potentially become a bigger problem.
10 tips for getting your DPIA process on track
1. Create a DPIA screening questionnaire
Put together a set of questions for business owners and/or project leads to use, which help to identify if a DPIA is required or not for their particular project or activity.
This will not only help teams to think about data protection considerations from the outset, but also avoids time being spent conducting DPIAs when they aren’t necessary.
2. Identify types of projects likely to need a DPIA
In some situations DPIAs are mandatory under UK/EU GDPR, in others they may be a ‘good to do’. So, it’s helpful to set out some clear guidelines which explain your organisation’s position on this. When does your business consider it appropriate to carry out a DPIA?
For example, are you using innovative tech or AI? Will you be handling biometric data? Are you matching data or combining data sets from different sources? Was the personal data collected indirectly? Are you tracking people (either their location or behaviour)? Do you use third party ad tech providers? Does the project involve children or special category data? Are you transferring data outside the UK/EEA? And so on.
3. Don’t forget your marketing related activities
It can be easy to forget marketing related activities could require or benefit from a DPIA. If marketing could result in a ‘high risk’ to individuals it’s likely you’ll need to do an assessment of the data protection risks. Here are some examples;
- ‘large scale’ profiling of individuals for marketing purposes
- matching datasets for marketing purposes
- processing which may be ‘invisible’ to the data subject, e.g. list brokering, online tracking by third parties, re-use of publicly available data
- using geo-location data for marketing purposes
- tracking the behaviour of individuals including online advertising, web and cross device tracking, tracing services (tele-matching & tele-appending), wealth profiling and loyalty schemes.
- targeting children or other vulnerable individuals for marketing purposes.
4. Design an easy-to-use DPIA process
You’re unlikely to reap the benefits if you have an unwieldly DPIA template full of data protection jargon, with questions people just don’t know how to answer. Create a practical usable DPIA template which is as straight-forward as possible for people to follow.
The ICO has published a DPIA template, but there is nothing to stop you adapting this to suit your business. You may also choose to have a simplified version for less complex projects.
Does your process help your teams to identify and assess privacy risks? Do you provide examples of what types of mitigating actions could be taken? Clear guidelines on how to complete a DPIA are invaluable.
5. DPIA training
Key team members need to have the skills to conduct a DPIA: to understand what the process entails, how to brief key stakeholders and walking them through the process, explaining what sort of risks to look out for and so on.
The DPO, or data protection lead, can’t be expected to do this single-handed. The ICO in their DPIA guidance specifically mentions the need to provide specialist training.
If teams don’t know what DPIAs are, they may push forward with new projects and innovations, and fail to consider the potential data protection issues. This may come back to bite you just before a project launches… or worse afterwards if you receive a complaint, breach and/or regulatory scrutiny.
Once all your ducks are in a row; when you have a screening questionnaire and a decent DPIA template, it’s time to make sure people know about DPIAs across the business. Get your Comms team involved to spread the message far and wide.
7. Start early
Talk to your project leaders, change management (if you have them) and IT leaders. Make sure people who work on projects which involve personal data complete screening questionnaires as soon as possible. Assess whether a DPIA is needed, so you can start the process as soon as possible. This way you can find problems and fix them early on.
A DPIA is likely to need the input of people from different areas of the business. Get people collaborating so projects can proceed at pace, without unnecessary delays.
Engage business and project management stakeholders at an early stage, so you can scope out the processing and start to identify any potential privacy risks, and consider mitigating measures.
9. Keep revisiting your DPIA
Throughout the different stages of a project keep an ongoing dialogue with stakeholders, especially with Agile projects which may expand over time. Check if new ideas, new developments have an data protection impact.
Once a DPIA is completed, set review dates, so you can check if things have changed.
For instance, you may have developed a new app, and six months later you want to improve the functionality, adding new features – what data protection issues could this raise?
Also keep you screening questionnaire, template and guidelines under review, there will always be enhancements you can make to make them more effective. Why not ask teams for feedback on how they can be improved?
DPIAs can feel a bit daunting, but the more familiar people are with the process, the risks they should be looking out for and the types of measures and controls that could be deployed to protect people’s data, the easier it all becomes.