If your heart says yes, can your DPIA say it too?
We wrote back in March about the common mistakes organisations make with Data Protection Impact Assessments (DPIAs). The importance of DPIAs can be seen in three recent cases.
- In the True Visions Productions (under the DPA 1998) the lack of DPIAs was seen by the Information Commissioner Office (ICO) as one of the “aggregating features” in their decision to fine them £120,000.
- With the HMRC case (the first under the DPA 2018) the ICO noted that the HMRC appeared “to have given little or no consideration to the data protection principles when rolling out the Voice ID service,” something that a DPIA achieves.
- When the South Wales Police use of automated facial recognition software was brought before the Courts, they considered the Police’s DPIA. The Courts noted it provided a clear description of the proposed processing and referred to the concerns raised about the intrusions into privacy. The Police ultimately won the case.
Getting a DPIA right is therefore increasingly important. A DPIA should identify potential risks to data subjects’ rights and freedoms. It should ensure appropriate measures can be put in place to manage those risks.
But there is a problem. The ICO’s DPIA template is very long and does not easily enable you to identify and qualify risks and make informed decisions.
Protecture has created its own DPIA to help organisations get the most out of the DPIA process:
- From Cradle to Grave: Confirm the Data Journey
What you are seeking to achieve with the proposed processing? i.e. what service, system or product you are looking to launch or seeking to amend or improve?
Ask why this needs personal data? For what purpose (or purposes) will personal data be used?
Document the flow of personal data. Where and who will it come from? Where will it be stored? What will you do with the data? Who else (e.g. suppliers) will handle the data?
- Why that way? How about another way? Confirm necessity and proportionality
Consider whether every proposed processing operation is necessary, and whether there are other ways to achieve the same outcome. What are the pros and cos of the other ways, such as their cost and their effectiveness?
For example, could you use a different supplier with a more privacy-friendly approach?
- Who will be affected? Confirm Data Subject personas
The DPIA should then consider the demographics of the individuals who are the “target” for the proposed activity.
Who are they to you, e.g. customers; service users; employees? What are their expectations, e.g. would they expect a high degree of privacy and confidentiality?
This is your average/most likely Data Subject persona.
Next consider the most vulnerable individuals whose personal data will be processed. For example, will people with disabilities, ill-health, or people at risk from abuse, violence or discrimination also potentially engage with the service, system or product you are looking to launch?
This is your most vulnerable Data Subject persona.
- What data is involved? Confirm personal data involved
For each persona, consider the personal data you will be collecting and using.
Go beyond simply listing personal data and special category personal data.
Consider how “sticky” the data is (e.g. a password can be rest; a medical fact cannot be changed or replaced) how “critical” the data is (is it simply useful, or absolutely critical to them?) and what “reach” the data has (e.g. will it be handled just by you, or also your suppliers, or will it be made public)?
And finally consider the volumes of data involved: both the number of records, and amount of data per record.
- Let’s test this! Do the rights and freedoms risk assessment
You now have the raw materials to undertake a risk assessment.
For each persona, consider the potential consequences that could arise from the processing of the personal data, i.e. could it result in “physical, material or non-material damage” to the person, and to what degree?
Next, for each of these consequences, consider how easily it can be caused. Think about who might be able to bring this scenario about, what is required to enable these instigators to act, and the amount of effort required by the instigator to use the opportunity.
Using this approach, we believe you should be able to identify potential risks to the rights and freedoms of different data subjects and the chances of them happening. This will mean you are in a good place for the next steps.
These would see you seeking stakeholder engagement and considering potential mitigations. With these in mind, the assessment can be re-run and the impact reassessed.
The DPIA can then be finalised, alongside any reporting to the ICO. And the DPIA should be monitored as the project develops, to ensure the risks continued to be managed as expected.
Would you like to know more? Our MD, Gary Shipsey is hosting a live webinar – If your heart says yes, can you DPIA say it too?
When: Monday 11th November 2019 / 2pm – 3pm
SIGN UP HERE…