A short guidance note explaining when DPIAs may need to be conducted by businesses - and how - and containing links to a template DPIA Policy and DPIA Form.
Whilst not a strict legal requirement, it has always been good practice to carry out data protection impact assessments to mitigate the risks associated with new projects. However, the GDPR makes DPIAs mandatory in certain circumstances. The GDPR also requires DPIAs to be recorded and documented in a specific way.
Broadly speaking, a DPIA will be required in situations where data processing is likely to result in a high risk to individuals, for example where a new technology is deployed; where a profiling operation is likely to significantly affect individuals; or where there is processing on a large scale of sensitive personal data.
If a DPIA indicates that the data processing is high risk, and you cannot sufficiently address those risks, you should either not proceed with the project or, if you do wish to go ahead, you will be required to consult the ICO to seek its opinion as to whether the processing operation complies with the GDPR.
You should ensure that you build in sufficient time to the relevant project in order to carry out a DPIA if necessary. However, in practice, the IPA considers that the situations where agencies will themselves be required to carry out a DPIA will be relatively limited. Also, each DPIA will not require the same level of detail. The extent of the DPIA will depend on the nature of the project and risks involved. If it is a straightforward project, the DPIA could be relatively short. In contrast, a larger, more complicated, or more obviously ‘risky’ proposal will likely require a more thorough DPIA.
In any event, agencies should ensure they have an appropriate DPIA policy in place which should be periodically reviewed and updated as necessary to ensure it is effective and meets your agency’s requirements. It is also important that the policy is actually implemented within your agency. The relevant personnel must be actively made aware of the policy, trained on the requirements, and required to comply with it.
It is also important to note that the obligation to carry out a DPIA (and to consult the ICO if necessary) will only directly apply when your agency is acting as the “data controller” as opposed to the “data processor”. Where your agency is acting as a “data processor”, the obligations regarding DPIAs do not directly apply - there is, however, a requirement for your agency to include in your contracts with clients an obligation to assist the client with the client’s obligations regarding DPIAs. It is therefore important to be aware of the requirements nonetheless so you have a better understanding of the client’s likely needs and expectations.
The IPA has produced a template DPIA policy for agencies to use as part of the development and rolling-out of your agency’s own internal data protection policies and procedures. The DPIA policy explains what a DPIA is, the circumstances when a DPIA must be conducted, and how to conduct one.
The IPA has also produced a template DPIA form which agencies can use to ensure that their DPIAs record all the necessary steps and information as required by the GDPR. The DPIA form is referred to in the DPIA Policy.
Please note that the DPIA policy is intended as an example and to be used as a starting point only. It is not intended to be comprehensive or a finalised policy and will not, by itself, guarantee that your agency achieves full compliance with the GDPR. It is critical that you thoroughly review the DPIA Policy and customise it to fit your agency’s business before rolling it out internally within your agency.
The DPIA policy is designed to work in conjunction with the other policies referred to in this Guidance as well as any other policies and procedures your agency may have. The DPIA policy includes highlighted guidance notes and square bracketed words – these should be addressed and eventually removed as part of the implementation of the DPIA policy. The DPIA policy also includes some background guidance notes in red at the start of the document, these red notes should also be removed as part of the finalisation of the policy.