Skip to main content
Home

Toolkit

All questions are mandatory, as indicated by *.

Page 1 of 4

4. Have you conducted a data protection impact assessment (DPIA) before the deployment of your data analytics system?
q4

Article 35(1) of the UK GDPR says:

"Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data."

DPIAs are a key part of your accountability obligations under the UK GDPR, and when done properly can help you assess and demonstrate how you comply with all of your data protection obligations.

As data analytics is likely to be classed as an innovative technology and profile individuals on a large scale, if you use it to process personal data, then you must carry out a DPIA. In any case, if you have a major project that involves the use of personal data, it is good practice to do a DPIA.

5. Have you identified any high risks in your DPIA that you have been unable to sufficiently mitigate?
q5

Article 36(1) of the UK GDPR says:

"The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk."

There is no explicit definition of ‘risk’ in the UK GDPR, but the various provisions on DPIAs make clear that this is about the risks to individuals’ interests. The concept of potential harm or damage to individuals links to risk. Recital 75 of the UK GDPR provides some examples of risks where processing may lead to physical, material or non-material damage, in particular where the processing may give rise to:

• discrimination;

• identity theft or fraud;

• financial loss;

• damage to the reputation;

• loss of confidentiality of personal data protected by professional secrecy;

• unauthorised reversal of pseudonymisation; or

• any other significant economic or social disadvantage.

6. Has your system been designed to place appropriate measures to implement the data protection principles and safeguard individual rights?
q6 (optional)

Article 25 of the UK GDPR outlines ‘data protection by design and by default’ as an approach and an obligation, that requires you to integrate data protection concerns into every aspect of your processing activities. These are key elements of the UK GDPR’s risk-based approach and its focus on accountability, ie you are able to demonstrate how you are complying with its requirement.

Although data protection does not dictate how designers should do their job, if you use data analytics to process personal data, you need to comply with the principles of data protection by design and default.

7. Have you considered the competing interests in your data analytics system and how to manage them?
q7 (optional)

Your use of data analytics must comply with the requirements of data protection law. However, there can be a number of different values of interests, which may at times pull in different directions. For example, you may find that collecting more data improves the statistical accuracy of your data analytics system but risks contravening the data minimisation principle. Collecting less data may negatively impact the statistical accuracy but risks contravening the fairness principle.