Under the GDPR, you have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities. Under the GDPR, this is referred to as data protection by design and by default.
You should adopt internal policies and implement measures which help your organisations comply with the data protection principles – this could include data minimisation, pseudonymisation and transparency measures.
As part of a data protection by design approach, the GDPR requires organisations to conduct data protection impact assessments (DPIAs) in specific circumstances. DPIAs are a tool which can help you identify the most effective way to comply with your data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow you to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.
You must carry out a DPIA where a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of individuals.
Processing that is likely to result in a high risk includes but is not limited to:
* systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals;
* large scale processing of special categories of data or personal data relation to criminal convictions or offences; and
*large scale, systematic monitoring of public areas.
The ICO will publish a list of processing operations where DPIAs will be mandatory. Additionally, the Article 29 Working Party’s “Guidelines on data protection impact assessments” (PDF) include a list of criteria intended to assist organisations in determining when they should carry out a DPIA. In general, the more criteria the processing meets, the more likely it is to present a high risk, and therefore to require a DPIA.
It is recommended that you undertake a DPIA in cases where it is unclear whether doing so is required.
The DPIA should contain the following information:
* A description of the processing operations and the purposes including, where applicable, the legitimate interests pursued by the controller.
* An assessment of the necessity and proportionality of the processing in relation to the purpose.
* An assessment of the risks to individuals.The measures in place to address risk, including security and to demonstrate that you comply.
A DPIA can address multiple processing operations that are similar in terms of the risks presented, provided adequate consideration is given to the specific nature, scope, context and purposes of the processing.
You should start to assess the situations where it will be necessary to conduct one:
* Who will do it?
* Who else needs to be involved?
* Will the process be run centrally or locally?
If the processing is wholly or partly performed by a data processor, then that processor should assist you in carrying out the DPIA. It may also be appropriate to seek the views of data subjects in certain circumstances.
Where a DPIA indicates that the processing would result in a high risk and you are unable to mitigate those risks by reasonable means, you will be required to consult the ICO to seek its opinion as to whether the processing operation complies with the GDPR.
* Overview of the GDPR - Accountability and governance, ICO
* Guide to data protection - Privacy by design, ICO