April 12, 2018

In a blog piece dated 26 March, Ian Deasha, Information Rights Regulatory Development Group Manager, writes that the ICO has for many years championed the benefits of voluntary Privacy Impact Assessments for new, innovative but potentially high-risk types of processing under the Data Protection Act 1998.

The GDPR, which will apply from 25 May, now formalises this situation by making the use of Data Protection Impact Assessments (DPIAs) a legal requirement in certain circumstances.

Essentially, Mr Deasha says, a DPIA is a documenting process that will allow an organisation to systematically describe and analyse its intended processing of personal information, helping to identify and minimise data protection risks at an early stage. As well as being a key element of a controller’s accountability obligations under the GDPR, an effective DPIA could have real benefits down the line in ensuring compliance, building external trust, and avoiding the possible reputational and financial implications of enforcement action following a breach.

Under the GDPR, controllers will be required to complete a DPIA where their processing is “likely to result in a high risk to the rights and freedoms of natural persons”.

Mr Deasha explains that “likely” does not mean the risk is certain, but it will be the responsibility of the controller to assess the level of risk of their intended processing by making a reasoned judgement on the likelihood and potential severity of harm. The ICO’s GDPR guidance includes examples highlighted in the GDPR and a further list, which the ICO is legally required to develop, of the types of processing likely to be high risk.

The ICO’s draft DPIA guidance builds on its previous PIA code, with further detail on specific GDPR requirements. This includes a DPIA template, although controllers who anticipate doing lots of DPIAs may wish to consider developing their own, Mr Deasha says.

The draft guidance also gives detail on the circumstances when controllers will be required to consult the ICO before processing if they cannot identify measures to reduce the potential risk identified in their DPIA to an acceptable level.

The ICO is required to provide written advice, when prior consultation is engaged, within eight weeks. This period can be further extended where the processing of personal data is especially complex.

As well as offering advice, the ICO could in some circumstances issue a formal warning to an organisation, or even take formal action to ban the processing altogether.

The ICO is seeking comment on the draft guidance, particularly on whether or not it is clear when a DPIA will be necessary.

In addition, it would like controllers to tell it whether they consider they may need to submit a DPIA to the ICO for written advice in the 12 months following 25 May 2018.

The consultation runs until 13 April 2018. The ICO is also planning a podcast on the DPIA guidance in the next few weeks.

The ICO has also published detailed guidance on the area of legitimate interest as a basis for processing under the GDPR. To read the blog piece in full and to access the ICO guidance, click here.