Do I need to do a DPIA?

Whenever you implement a new processing activity, system, or process, you should consider whether a DPIA is needed. This should be done as early as possible in the process to allow time for the implementation of risk mitigation.

Step One: is a DPIA legally required?

The first thing to consider is whether the new activity is caught by one of the scenarios listed in Article 35 of the GDPR. There are three situations in which the law requires a DPIA is conducted.

Firstly, a DPIA is required if automated decision-making has a significant effect on the individual. For example, if software is used to filter job applications or social housing applications automatically based on set criteria then this would be considered a significant effect.

Secondly, a DPIA is required if special category or criminal conviction and offence data is processed on a large scale. Special category data is defined in Article 9 of GDPR, which lists the types of data that require extra protection. Broadly, these categories are types of information that could harm the individual if misused, such as racial or ethnic origin data, health data, and information about someone’s sexuality. Notably, however, financial information such as bank details are not special category data. Some people are surprised to learn that age and gender are not special category either.

There is no definition of large scale in the GDPR. Guidance by the ICO lists factors to consider when deciding if processing is large scale, including the number of individuals, volume of data, and duration of processing. Large scale is relative to the size of the organisation doing the processing: large scale processing for an SME would not be large scale for a large company like Amazon. Recital 91 of EU GDPR also states that patient data processed by a health professional and client data processed by a lawyer are not large scale and a DPIA is not required in these situations. (Recitals are not binding in the UK but provide a useful guide to interpretation of the GDPR).

Finally, a DPIA is required if systematically monitoring a publicly accessible area on a large scale. This essentially means that you need to do a DPIA if you plan on using a CCTV system that captures a public area. This could include cameras aimed at your property that also capture the street outside.

Step Two: do the ICO require me to do a DPIA?

In addition to the situations listed in the law, the ICO has produced a list of high-risk processing activities which require a DPIA. The list includes 10 broadly defined activities:

1. Innovative use of technology.
2. Automated decision-making about an individual’s access to services or opportunities.
3. Profiling on a large-scale (automated evaluation of an individual’s characteristics).
4. Use of biometric data (fingerprints, voice recognition, etc.) to identify an individual.
5. Processing of genetic data for reasons other than the individual’s health care.
6. Comparing data obtained from multiple sources (e.g., for fraud prevention).
7. Processing that the data subject is unaware of.
8. Tracking an individual’s location or behaviour, including online.
9. Targeting children or vulnerable people for direct marketing.
10. Where a breach could result in physical harm to the individual.

Step Three: should I do a DPIA even if it isn’t required?

The ICO considers it best practice to do a DPIA even if the processing is not likely to result in a high risk. However, a DPIA can be a long and complicated process requiring significant resources. If a DPIA is not required by law or the ICO’s list, we would suggest conducting a more high-level risk assessment instead. A DPIA is only one form risk assessment and there are many alternatives.

DPP’s support desk are happy to advise whether a DPIA is needed in a specific situation and can help produce a checklist to evaluate this need. If a DPIA is required, DPP can assist with this process.