An area of data protection receiving significant regulatory coverage currently is that of a Data Protection Impact Assessment (DPIA).

So what is a DPIA?

A DPIA is a process designed to help you systematically analyse, identify and minimise the data protection risks of your personal data processing activities. A DPIA should generally be carried out prior to the processing by the data controller. It is a key part of your accountability obligations under the GDPR, and when done correctly helps you examine and demonstrate your compliance with your data protection obligations. The DPIA is provided for in GDPR 2016/679 Art 35 and The Data Protection Act 2018 S. 84. The minimum content of the assessment is recommended as:

  • A description of the envisaged processing operations and the purposes of the processing”
  • An assessment of the necessity and proportionality of the processing”
  • An assessment of the risks to the rights and freedoms of data subjects”
  • The measures envisaged to:
  • Address the risks and
  • Demonstrate compliance with current valid law

When is a DPIA required?

A DPIA is mandatory where data processing “is likely to result in a high risk to the rights and freedoms of natural persons.” This is particularly relevant when a new data processing technology is being introduced (Art. 35 (1)).

The term ‘high risk’ has, and continues to be, the subject of some debate. Article 35 (3) provides some examples:

  • “A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person”
  • “Processing on a large scale of special categories of data referred to in Article 9(1)e.g. (health or political opinions), or of personal data relating to criminal convictions and offences “a systematic monitoring of a publicly accessible area on a large scale”

Further guidelines are available online at the European Data Protection Board website.

When is a DPIA not required?

  • When there is no high risk to the ‘rights and freedoms of natural persons’
  • Where a similar assessment document is currently available
  • Where EU or member law provides an appropriate basis
  • Where the activity is named on a list as set out by the Regulator

Key steps to a compliant DPIA

The Data Protection Commission Office sets out the following guiding steps covering a DPIA process:

  • Identifying whether a DPIA is required
  • Defining the characteristics of the project to enable an assessment of the risks to take place
  • Identifying data protection and related risks
  • Identifying data protection solutions to reduce or eliminate the risks
  • Signing off on the outcomes of the DPIA
  • Integrating data protection solutions into the project

Contact the DPC Office?

  • During the DPIA process, the Data Controller has identified and taken measures to mitigate any risks to personal data, it is not necessary to consult with the DPC before proceeding with the project.
  • If the DPIA suggests that any identified risks cannot be managed and the residual risk remains high, you must consult with the Data Protection Commissioner before moving forward with the project.
  • Regardless of whether or not consultation with the DPC is required, your obligations of retaining a record of the DPIA and updating the DPIA in due course remain.
  • Even if consultation is not required, the DPIA may be reviewed by the DPC at a later date in the event of an audit or investigation arising from your use of personal data.

The key take away here is that you are wise to keep fulsome records of the DPIA process you have created

Making public your DPIA?

While it is not legally mandatory (currently) to publish the DPIA, the DPC is of the opinion that there are a number of benefits to doing so. ‘Publishing the DPIA can help to foster trust in your handling of personal data, and demonstrate accountability and transparency, particularly where members of the public are affected. This may be especially beneficial for DPIAs carried out by public bodies’.

The published DPIA does not need to contain the whole assessment, especially when the DPIA could present information concerning security risks or commercially sensitive information. It could even consist of just a summary of the DPIA’s main findings.

The above information is intended to be a snapshot of the rules surrounding DPIAs. It is noteworthy that changes to the rules and guidelines are expected to flow from the Regulators.

For more information, advice or guidance about DPIAs contact:

Carter Anhold Solicitors

Sligo Office, 1 Wine Street, Sligo Co Sligo F91 X58H or 212A, The Capel Building, Mary’s Abbey, Dublin 7 D07 FXF8

00353 71 916 2211