When does my organisation need a DPIA?
Registered Social Landlords (RSLs), as well as other organisations are subject to the UK General Data Protection Regulation (GDPR), and Article 35(1) requires that a Data Protection Impact Assessment (DPIA) should be undertaken before beginning any type of processing which is 'likely to result in a high risk.' This means that you will have to consider, prior to conducting a DPIA, several factors which might have potential for a widespread or serious impact on the individuals whose personal data is being processed. The European Commission guidance provides nine types of processing which would likely result in a high risk here, which includes:
- Using automated decision making with legal or similar effect. For instance, the decision-making could lead to exclusion or discrimination against individuals;
- Conducting systematic monitoring of individuals in publicly accessible areas where they may not be aware of who is collecting their data and how it is being processed; or
- Processing special category data or criminal offence data on a large scale.
The ICO also provides circumstances where a DPIA must be undertaken (Data protection impact assessments | ICO), which includes:
- Using innovative technology (in combination with any of the criteria in the European Commission guidelines);
- Using profiling or special category data to decide on access to services; or
- Profiling individuals on a large scale.
Whilst the European Commission guidance states that where any two of the nine criteria are met, then a DPIA should be carried out, they also suggest that in some cases, you may consider that only one of the criteria being met still requires a DPIA. Additionally, the ICO recommends that it is good practice to carry out a DPIA for any processing on a large scale, or for any major new project which involves the use of personal data. As such, a DPIA can also be undertaken where you consider it appropriate, and not just where you are legally obliged to do so.
What should a DPIA include?
A DPIA is a means for RSLs to consider the processing it is planning to carry out, and therefore the compliance and broader risks to the rights and freedoms of individuals whose data is being processed. The ICO suggests that the focus when conducting a DPIA should be on the potential for harm – to individuals or to society at large, whether it is physical, material or non-material. In turn, the DPIA will also inform how you reduce such risks, for instance, by providing appropriate training to staff who are processing the data or introducing security measures such as authentication.
The ICO provides a template DPIA here which should include, amongst other things:
- The need, nature, scope, context and purposes for processing the data;
- The consultation with relevant stakeholders, or if this is not necessary then justification of why this is not relevant;
- The compliance and proportionality measures being taken;
- Identify and asses the risks to individuals; and
- Identify measures to reduce such risk.
If a DPIA is carried out, and a high risk has been identified where no measures can be taken to reduce such risk, then you must consult with the ICO and you must not proceed with processing until you have done so.
DPIAs are crucial documents for RSLs to record and demonstrate their compliance with their legal obligations under the GDPR, and also a means of minimising any potential risk posed by processing data. It should be noted that DPIAs should be periodically reviewed and updated where required. For instance, the ICO suggests that you should review your DPIA where there is a substantial change to the nature, scope, context or purposes of your processing.
We have an experienced team that are able to advise on all issues relating to data protection. Please contact our team here if you would like more information or advice.
