Data Protection Impact Assessments are an essential, cost-effective way to identify data risks before they have a negative impact on an organisation. So why are they often the elephant in the room?
When GDPR went live on May 25, 2018, one of the biggest steps into the unknown for many organisations was the mandatory process of conducting a Data Protection Impact Assessment (DPIA). DPIAs are generally designed to systematically assess, minimise, eradicate, or accept any high personal data risks that a new project, system, application, or process might entail—before it has been fully built or developed. This is known as “Data Protection by Design and Default.”
Because DPIAs are flexible and fluid, many organisations and businesses are unsure of the correct way to complete a DPIA. There is no definitive DPIA template to follow (albeit the Information Commissioner’s Office (ICO) provides a very broad one), which is why there are numerous interpretations as to how much information needs to be documented. Perhaps that’s where organisations have come unstuck; they lack the level of expertise needed to truly assess essential compliance gaps in Data Protection. South Wales Police, for instance, lost a landmark facial recognition case in 2020 largely on the lack of a DPIA picking up on whether the software exhibited any race or gender bias. The ICO also further ruled that police forces should set out their Live Facial Recognition retention schedules in any subsequent DPIAs.
But that shouldn’t deter organisations from implementing a solid DPIA process, especially since the ultimate purpose of these tools is to identify where GDPR gaps may sit within a system, database, or project plan, allowing organisations to address issues that could essentially cause a data breach (the maximum fine from the ICO being up to £8.3 million or 2% of your global turnover) and can. Anything could be unearthed—from a lack of system audit, access controls, retaining personal data for longer than necessary, or determining that processing is simply too intrusive—so DPIAs can be your life-raft when it comes to forward-thinking compliance. If the UK Government had completed a DPIA when it introduced the NHS Test and Trace programme, it surely wouldn’t have been deemed unlawful by privacy campaigners and even the Department of Health.
Despite the perceived size and amount of time a DPIA will take, the process doesn’t need to result in a volume like War & Peace. A simple and sharp question set should be enough to ascertain the type of processing and amount of personal data that is required for the project or system that is being implemented. As long as each data protection principle is addressed and considered during the DPIA, any “real” risks should come out of the woodwork and be documented and mitigated accordingly.
DPIAs are all about capturing those fundamental data protection elements at the design stage. If you use them to find areas of risk early in the process and secure the right mitigations, things will be more cost effective for you and your company when it comes to data protection compliance.
CTG can assist with your DPIA requirements by understanding the project, application, or system that is being considered—whether it is in a project phase or currently being designed and built—and support you through a DPIA process to identify and mitigate any risks that might be discovered. Whether you are rolling out a new staff survey, a new HR or finance system, a tool for intelligence gathering for law enforcement purposes, or looking to use facial recognition technology in any capacity, we can support you in covering all of the necessary GDPR requirements.