When do we need to consult the ICO?
If you have carried out a DPIA that identifies a high risk and you cannot do anything to reduce it, prior consultation with the ICO is required under UK GDPR. You cannot go ahead with the processing until you have consulted us.
The focus is on the ‘residual risk’ after you have taken any mitigating measures. If your DPIA identified a high risk but you have done things to reduce the risk so it is no longer high, you need not consult us.
How do we consult the ICO?
Send us a copy of your submission. You must include:
- a description of the respective roles and responsibilities of any joint controllers or processors;
- the purposes and methods of the intended processing;
- the measures and safeguards taken to protect individuals;
- contact details of your DPO (if you have one); and
- a copy of the DPIA.
What happens next?
When we receive your DPIA, we will send you an acknowledgement and check we have all the information we need.
We will write to you to within 10 days to let you know if we have accepted your DPIA for prior consultation. We will explain our reasoning.
You may not hear from us again until we provide our written advice. If we have further queries, we may make contact to arrange a telephone call or meeting with you.
What happens if we do not accept your DPIA?
We may wish to discuss your proposed processing with you, even if your DPIA does not meet the criteria for prior consultation. If so, we will explain to you how we would like to engage with you.
How is your DPIA assessed?
If we accept your DPIA, we don’t just look at the risks you documented. We consider all of your submission – your DPIA documentation and any further information you provided – along with any prior contact you may have had with our office.
We seek to understand in detail the context and nature of the processing you are proposing, including any controller-processor relationships. We will also assess the extent to which you have evidenced compliance with the Data Protection Principles.
To do this effectively, we may need to ask you to give us more information.
How long does it take?
Where we provide advice under the prior consultation process, we will get back to you within eight weeks of receipt of your DPIA. In complex cases, we can extend this to a maximum of 14 weeks. If we need to extend the deadline, we will tell you within one month of the date you submitted your DPIA. We will explain our reasons.
If we need to ask for more information, we cannot continue our assessment until you provide it. To prevent further delay, please ensure you include any documents your assessment refers to, such as privacy notices.
If your intended processing operation would affect data subjects in EU member states, we may be required to co-operate with other data protection authorities before providing our written advice, in line with Chapter VII UK GDPR. This may mean your case cannot be resolved in 14 weeks. We will notify you if this occurs and keep you updated.
What are the possible outcomes?
We may come to the view, based on your DPIA, that risks have been sufficiently identified and mitigated, and that you may proceed with the processing.
Our written response could be limited to advice on how you can further mitigate identified risks before you proceed with your processing.
In some circumstances, we may also issue an official warning, a new corrective power under UK GDPR, alongside any advice we provide. We will issue warnings where we are concerned that your intended processing is likely to contravene UK GDPR. Any warning will explain the reasons for our concerns, and the steps we recommend you take to avoid any contravention.
If we have more significant concerns, we may impose a limitation or ban on your intended processing.
In any outcome, our written response to you will make clear what you may and may not do.
Can we appeal?
Warnings are not subject to appeal, but you may seek judicial review if you disagree with the way we made the decision.
You can seek a review of other corrective measures (such as limitations or bans on processing) by appeal to the First Tier Tribunal.
More information on appeals against the Information Commissioner can be found here.