The ICO exists to empower you through information.

Risks and data protection impact assessments (DPIA)

Share Download options

Pages

Format

Control measure: There are appropriate policies, procedures and measures to identify, record and manage information risks.

Risk: If information risk management is not effective, there is a risk of inappropriate access, disclosure or loss of personal information. This may breach articles 5(f), 5(2), 32 of the UK GDPR.

Ways to meet our expectations:

  • Set out how your organisation and its data processors manage information risk in an information risk policy (either a separate document or part of a wider corporate risk policy), and decide how you monitor compliance with the information risk policy.
  • Have a process to help staff report and escalate information governance or data protection concerns and risks to a central point, for example staff forums.
  • Identify and manage information risks in an appropriate risk register, which includes clear links between corporate and departmental risk registers and the risk assessment of information assets.
  • Have formal procedures to identify, record and manage risks associated with information assets in an information asset register.
  • If you identify information risks, have appropriate action plans, progress reports and consider the lessons learnt to avoid future risk.
  • Put measures in place to mitigate the risks identified within risk categories, and test these regularly to make sure that they remain effective.

Options to consider:

  • Explain the links between the information risk register, the risk assessment of information assets, departmental risk registers and the corporate risk register to all staff, not just those with information risk-related roles.

Have you considered the effectiveness of your accountability measures?

  • Do staff know how to report and escalate concerns and risks?
  • Could staff explain the links between the information risk register, the risk assessment of information assets, departmental risk registers and the corporate risk register?

 

Control measure: There is a data protection by design and by default approach to managing risks, and, as appropriate, DPIA requirements are built into policies and procedures.

Risk: The requirement of privacy by design and default is not likely to be met without DPIA requirements built in at the ground level. This may breach article 35 of the UK GDPR.

Ways to meet our expectations:

  • Reference DPIA requirements in all risk, project and change management policies and procedures, with links to DPIA policies and procedures.
  • Ensure procedures state that, if required, a DPIA should begin at the project's outset, before processing starts, and that the DPIA must run alongside the planning and development process.
  • Anticipate risks and privacy-invasive events before they occur, making sure that at the initial design phase of any system, product or process and throughout, you consider the:
  • intended processing activities;
  • risks that these may pose to the rights and freedoms of people; and
  • possible measures available to mitigate the risks.

Options to consider: 

  • Carry out DPIAs for any existing live processing which you may not have appropriately risk assessed when originally started.

Have you considered the effectiveness of your accountability measures?

  • Would staff working on personal information processing projects be able to explain how they manage the risks as part of the project?

 

Control measure: There is understanding of whether a DPIA is required, or where it would be good practice to complete one. There is a clear DPIA policy and procedure.

Risk: There is a risk that a DPIA will not be carried out when it should be without appropriate DPIA procedures. This may breach UK GDPR article 35 requirements, and not take into account people’s rights and freedoms.

Ways to meet our expectations:

  • Have a DPIA policy which includes:
    • clear procedures to decide whether you conduct a DPIA;
    • what the DPIA should cover;
    • who will authorise it; and
    • how you will incorporate it into the overall planning.
  • Have a screening checklist to consider if you need a DPIA, including all the relevant considerations on the scope, type and manner of the proposed processing.
  • If the screening checklist indicates that you do not need a DPIA, document this.
  • Ensure your procedure includes the requirement to seek advice from the DPO and other internal staff as appropriate.
  • Ensure your procedure includes consultation with controllers, processors, people, their representatives and any other relevant stakeholders as appropriate.
  • Include the need to consider a DPIA at the early stages of any plan involving personal information in your training and, where relevant, train staff in how to carry out a DPIA.
  • Assign responsibility for completing DPIAs to a member of staff, who has enough authority over a project to effect change, eg a project lead or manager.

Options to consider: 

  • Consult with information asset owners (IAOs) to ensure there is a consistent approach and understanding to DPIA screening. 

Have you considered the effectiveness of your accountability measures?

  • Are your policies and procedures easy to locate?
  • Are staff aware of the process?
  • Do they consider it effective?
  • Have they had adequate training?
  • Are DPIAs conducted by those with appropriate authority to effect change?

 

Control measure: DPIAs always include the appropriate information and are comprehensively documented.

Risk: Without a documented DPIA process which requires DPIAs to be completed before processing begins, DPIAs may not be completed, and privacy risks of processing information may not be mitigated before processing begins. This may breach articles 5, 24, 32, 35-37, and 39 of the UK GDPR.

Ways to meet our expectations:

  • Implement a standard, well-structured DPIA template which is written in plain English.
  • Ensure DPIAs:
    • include the nature, scope, context and purposes of the processing;
    • assess necessity, proportionality and compliance measures;
    • identify and assess risks to people; and
    • identify any additional measures to mitigate those risks.
  • Ensure DPIAs clearly set out the relationships and data flows between controllers, processors, people and systems.
  • Ensure DPIAs identify measures that eliminate, mitigate or reduce high risks.
  • Have a documented process, with appropriate document controls, that is reviewed periodically to ensure it remains up to date.
  • Record your DPO’s advice and recommendations and the details of any other consultations.
  • Ensure appropriate people sign off DPIAs, such as a project lead or senior manager.

Options to consider: 

  • Check that staff who use the DPIA template find it easy to understand. 
  • Check that the process is effective.
  • Check with relevant stakeholders that their advice is taken into account.

Have you considered the effectiveness of your accountability measures?

  • Do staff use the DPIA template and find it easy to understand?
  • Is the process effective?
  • Is the DPO satisfied that their advice is taken into account?
  • Are they satisfied with any consultation that has taken place and how that you reflect any feedback in the outcome?

 

Control measure: There are appropriate and effective actions taken to mitigate or manage any risks a DPIA identifies, and there is a DPIA review process.

Risk: If the results of DPIAs are not acted on, then the risks of processing will not be mitigated. This may result in a breach of UK GDPR. Failure to keep outputs of DPIAs under review may fail to capture new risks in the processing control environment. 

Ways to meet our expectations:

  • Have a procedure to consult the ICO if you cannot mitigate residual high risks.
  • Integrate outcomes from DPIAs into relevant work plans, project action plans and risk registers.
  • Do not start high risk processing until mitigating measures are in place following the DPIA.
  • Have a procedure to communicate the outcomes of DPIAs to appropriate stakeholders, eg through a formal summarised report.
  • Consider actively publishing DPIAs where possible, removing sensitive details if necessary.
  • Agree and document a schedule for reviewing the DPIA regularly or when the nature, scope, context or purposes of the processing changes.

Options to consider: 

  • Train staff to integrate the outcomes of DPIAs into relevant work plans.

Have you considered the effectiveness of your accountability measures?

  • Do staff understand when to consult the ICO?
  • Do you effectively integrate outcomes from DPIAs into projects?
  • Are appropriate stakeholders aware of the outcomes of DPIAs?