Data Protection Impact Assessments: 10 Tips
It’s sometimes difficult not to view Data Protection Impact Assessments as an onerous box ticking exercise. If this is the mindset in your business, is it time to shout about what a valuable tool they are and get your process on track!
If DPIAs are solely seen through the prism of compliance, they’ll be seen as burden. They may be attempted half-heartedly or left inadequately completed.
While DPIAs sit at the heart of the principle of data protection by design, it can be best to see them as a handy warning system to protect the entire business and those whose data it processes from unnecessary risk. A way of identifying risks in advance, before they become a much bigger problem.
10 tips for getting your DPIA process on track
1. Create a DPIA Screening Questionnaire
Put together a quick set of questions for business owners and/or project leads to use, which help to identify if a DPIA is required or not for their particular project or activity.
This will not only help teams to think about data protection considerations from the outset, but also avoids time being spent conducting DPIAs when they really aren’t necessary.
2. Identify types of projects likely to need a DPIA
In some situations a DPIA is are mandatory, in others they may be a ‘good to have’. So, it’s good to set out some clear guidelines which explain your organisation’s position on this. When do YOU consider it appropriate to carry out a DPIA?
For example, are you using innovative tech or AI? Will you be handling biometric data? Are you matching data or combining data sets from different sources? Was the personal data collected indirectly? Are you tracking people (either their location or behaviour)? Do you use third party ad tech providers? Does it involved children or special category data? Are you transferring data outside the UK/EEA? And so on.
3. Don’t forget your marketing related activities
It can be easy to forget that marketing related activities could require or benefit from a DPIA.
In its draft Direct Marketing Code of Practice, the ICO says any ‘direct marketing’ activity which involves the processing of personal data that is likely to result in ‘high risk’ to the individual requires a DPIA before you start processing. The following examples are given:
- when conducting ‘large scale’ profiling of individuals for marketing purposes
- matching datasets for marketing purposes
- processing which may be ‘invisible’ to the data subject, e.g. list brokering, online tracking by third parties, re-use of publicly available data
- using geo-location data for marketing purposes
- tracking the behaviour of individuals including online advertising, web and cross device tracking, tracing services (tele-matching & tele-appending), wealth profiling and loyalty schemes.
- targeting children or other vulnerable individuals for marketing purposes.
In its Ad Tech investigations, the ICO also highlighted the need for DPIAs, which it said were rarely conducted but should be.
4. Design an easy-to-use DPIA process
You’re unlikely to reap the benefits if you have an unwieldly DPIA template full of data protection jargon, with questions people just don’t know how to answer. Create a practical usable DPIA template which isn’t too complicated for people to follow.
The ICO has published a DPIA template, but I’d recommend adapting this to suit your business. You may also choose to have a simplified version for less complex projects.
Does your process help your teams to identify and assess any privacy risks? Do you provide examples of what types of mitigating actions could be taken? Clear guidelines on how to complete a DPIA are invaluable.
5. DPIA training
Key team members need to have the skills to conduct a DPIA: to understand what the process entails, how to brief key stakeholders and walking them through the process, explaining what sort of risks to look out for and so on.
The DPO, or data protection lead, can’t be expected to do this single-handed. The ICO in their DPIA guidance calls out the need to provide specialist training..
If people don’t what DPIAs are, they’ll be blissfully unaware doing great innovative things and not considering the potential data protection issues. This may come back to bite you just before a project launches… or worse afterwards if you receive a privacy complaint!
Once all your ducks are in a row; when you have a screening questionnaire and a decent DPIA template, it’s time to make sure people know about DPIAs across the business. Get your Comms team involved to spread the message far and wide.
7. Start early
In particular, talk to your project leaders, change management (if you have them) and IT leaders. Make sure people who work on projects which involve personal data complete screening questionnaires as soon as possible. Assess whether a DPIA is needed, so you can start the process as soon as possible. This way you can find problems and fix them, avoiding nasty surprises later on.
A DPIA is likely to need the input of people from different areas of the business. Get people collaborating so projects can proceed at pace, without unnecessary delays.
Engage business and project management stakeholders at an early stage, so you can scope out the processing and start to identify any potential privacy risks, and consider mitigating measures.
9. Keep revisiting your DPIA
Throughout the different stages of a project keep an ongoing dialogue with stakeholders, especially with Agile projects which may expand over time. Check if new ideas, new developments have an impact.
Once a DPIA is completed, don’t just set it to one side and forget about it. Set review dates, where you can check if things have changed.
For instance, you may have developed a new app, and six months later you want to improve the functionality, add new features – does this impact on privacy?
Also keep you screening questionnaire, template and guidelines under review, there will always be enhancements you can make to make it even more effective. Why not ask teams for feedback on how they can be improved?
In summary, DPIAs can feel a bit daunting, but the more familiar people are with the process, the things they should be looking out for and the types of measures and controls that could be deployed to protect people’s data, the easier it all becomes.
And don’t forget DPIAs, as well as acting as a warning system, also support your business in meeting UK GDPR’s accountability requirements. They give you evidence you take data protection seriously and have documentation to prove it.