The UK Data Protection Regulator, the Information Commissioner’s Office (ICO), published yesterday new guidance on conducting Data Protection Impact Assessments (DPIAs) under the General Data Protection Regulation (GDPR).
The guidance follows earlier guidance from the Article 29 Working Party (WP29). This note uses some technical data protection terms which are explained in our Glossary here (http://www.corderycompliance.com/eu-data-protection-glossary/). Our alert in October on the WP29 guidance is here (http://www.corderycompliance.com/client-alert-new-dpia-guidance-issued/). There is more detailed guidance on DPIAs in Cordery’s GDPR Navigator here (http://www.corderycompliance.com/gh-cordery-gdpr-navigator/). The next GDPR Navigator monthly call will feature more guidance and a question and answer section on DPIAs.
What is a DPIA?
A Data Protection Impact Assessment (DPIA) is mandatory in some cases under GDPR. At its simplest, it is a way of assessing data protection risk in any process that involves personal data. A good DPIA process will enable you to identify exactly what you are planning to do with personal data, what the risks are and how you are going to address them. There are consultation obligations as part of the DPIA process including, in some cases, the obligation to show your DPIA to a Data Protection Authority (DPA) and seek prior approval.
Our experience is that DPIAs are a key element of any GDPR plan. Done well a DPIA can reduce data protection risk but also reduce risk across the board.
Are there any surprises in the guidance?
The simple answer is no. Anyone familiar with the DPIA process and the previous WP29 guidance will find little new to trouble them. The guidance is, however, helpful in setting out how the ICO, as the UK’s DPA, intends to handle DPIAs when it has to be consulted.
How long will that consultation with the ICO take?
If the results of your DPIA mean that you have to refer it to the ICO, the ICO plans to give written advice within 8 weeks, or 14 weeks in complex cases. The clock starts when the ICO has all of the information it requires, but time does not run when there is an outstanding query. As a result, it is important to make sure that you seek out all of the information you need before approaching the ICO and that you build these potential delays into any project plan. There is another clear need to make sure that your DPIA is up to standard – the ICO specifically say in the guidance that if it is not happy with the DPIA it may issue a formal warning not to process the data or ban the processing altogether.
The ICO have made it clear in the guidance that processing cannot begin until the ICO has been consulted if the consultation obligation arises.
The ICO says that in some cases it will need to consult other DPAs where there could be an impact on data subjects in other EU Member States. When it feels that this is the case it will send a notification to the Data Controller, but it will no longer be bound by the 14 weeks maximum. For many organisations this is significant as their operations will touch more than one EU Member State and they are unlikely to have any certainty as to how long the DPIA consultation will take.
What about existing processes?
Already we are seeing some differences in the guidance issued by different DPAs across Europe. Probably the biggest area of difference is in the guidance that they are giving on existing processes. The ICO’s position is:
“In the run-up to 25 May 2018, you also need to review your existing processing operations and decide whether you need to do a DPIA…for anything which is likely to be high risk. You do not need to do a DPIA if you have already considered the relevant risks and safeguards in another way, unless there has been a significant change to the nature, scope, context or purposes of the processing since that previous assessment.”
In practice, this is likely to mean that most organisations will need to review existing processes as from our experience it is unlikely that an assessment has been done on existing processes to the rigour which the DPIA regime would require. Where you are not doing a DPIA on an existing process, you will need to be prepared to explain why. The ICO guidance says:
“We recommend that you document your review and the reasons for not conducting a new DPIA where relevant, to help you demonstrate compliance if challenged.”
Do I have to use a set template?
No. At Cordery we have had lots of experience of designing DPIA templates to fit into an organisation’s existing processes and that is still allowed.
Can I ask a vendor for help?
Again, the simple answer is yes. We’ve helped a number of new technology vendors with “flat-pack DPIAs” which enable a vendor to help their customers go through the DPIA process. The ICO guidance specifically allows for this saying:
“For new technologies, you may be able to use a DPIA done by the product developer to inform your own DPIA on your implementation plans.”
It is important to remember, however, that the primary responsibility for doing a DPIA will remain with the Data Controller.
Even if new technology is not involved, the ICO specifically says that you could ask a Data Processor to conduct a DPIA for you although the Data Controller remains responsible. They also say that any contract with a Data Processor should include a contractual provision that the Data Processor will, if required, assist the Data Controller with the DPIA process and provide the necessary information and assistance.
Do I need to review DPIAs?
Yes. A key theme of the WP29 guidance is regular review and this theme is also evident in the ICO guidance. The ICO says:
“You should not view a DPIA as a one-off exercise to file away. A DPIA is a ‘living’ process to help you manage and review the risks of the processing and the measures you’ve put in place on an ongoing basis. You need to keep it under review and reassess if anything changes. In particular, if you make any significant changes to how or why you process personal data, or to the amount of data you collect, you need to show that your DPIA assesses any new risks. An external change to the wider context of the processing should also prompt you to review your DPIA. For example, if a new security flaw is identified, new technology is made available, or a new public concern is raised over the type of processing you do or the vulnerability of a particular group of data subjects.”
Consultation on the guidance
The ICO has some parts of its DPIA process open to consultation but the time limit is tight. The consultation closes on Friday 6 April 2018, although other materials from the ICO suggest that that deadline has already been extended until Friday 13 April 2018.
We’ve much more detailed advice on DPIAs in GDPR Navigator, which includes a detailed guidance note on the accountability elements of GDPR and a 25-minute film on DPIAs with best practice and tips for compliance. There are more details of GDPR Navigator here www.bit.ly/gdprnav. We’ve also helped businesses prepare their DPIA templates and led workshops on the key skills needed to run a DPIA effectively.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|