DATA PROTECTION IMPACT ASSESSMENTS (DPIA)

When the University collects, stores or uses personal data, the individuals whose data it is processing is exposed to risks. A Data Protection Impact Assessment (DPIA) describes a process designed to identify risks arising out of the processing of personal data and to minimise these risks as far and as early as possible. DPIAs are important tools for negating risk, and for demonstrating compliance with the GDPR.

When should a DPIA should be conducted? Under the GDPR, a DPIA is mandatory where data processing “is likely to result in a high risk to the rights and freedoms of natural persons.” This is particularly relevant when a new data processing technology is being introduced. In cases where it is not clear whether a DPIA is strictly mandatory, carrying out a DPIA is still good practice and a useful tool to help data controllers comply with data protection law.The GDPR provides some non-exhaustive examples of when data processing is “likely to result in high risks”:

  • “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person”
  • “processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10”
  • “a systematic monitoring of a publicly accessible area on a large scale” 

When is a DPIA not required? A DPIA is generally not required in the following cases:

  • Where the processing is not “likely to result in a high risk to the rights and freedoms of natural persons”(article 35(1))
  • When the nature, scope, context and purposes of the processing are very similar to the processing for which DPIAs have been carried out. In such cases, results of a DPIA for similar processing can be used (Article 35(1))

When in a project lifecycle should a DPIA be conducted? The DPIA should be carried out “prior to the processing” (GDPR Articles 35(1) and 35(10), recitals 90 and 93). It is good practice to carry out a DPIA as early as practical in the design of the processing operation.  For some projects the DPIA may need to be a continuous process, and be updated as the project moves forward.

Who should be involved in conducting the DPIA? The Data Controller (the University) is responsible for ensuring the DPIA is carried out. The Project Principal Investigator or the Unit Head or Head of School generally carries these out on behalf of the University.Under the GDPR (Article 35), it is necessary for any Data Controller (in this case the University) to seek the advice of the University Data Protection Officer. This advice and the decisions taken should be documented as a part of the DPIA process.

The Data Controller is bound to “seek the views of data subjects or their representatives” (Article 35(9)), “where appropriate” in carrying out the DPIA.

What steps are involved in carrying out a DPIA? The GDPR sets out the minimum features of a DPIA (Article 35(7), and recitals 84 and 90):

  • “a description of the envisaged processing operations and the purposes of the processing”
  • “an assessment of the necessity and proportionality of the processing”
  • “as assessment of the risks to the rights and freedoms of data subjects”
  • “the measures envisaged to:
  • “address the risks”;
  • “demonstrate compliance with this Regulation”.

The following steps can be used as a guide through the process:

  1. Identifying whether a DPIA is required
  2. Defining the characteristics of the project to enable an assessment of the risks to take place
  3. Identifying data protection and related risks
  4. Identifying data protection solutions to reduce or eliminate the risks
  5. Signing off on the outcomes of the DPIA (Consult with Data Protection Officer)
  6. Integrating data protection solutions into the project

Mandatory circumstances where a DPIA must be conducted:

In addition, in accordance with GDPR Article 35(4), the Date Protection Commissioner has determined that a DPIA will also be mandatory for the following types of processing operation where a documented screening or preliminary risk assessment indicates that the processing operation is likely to result in a high risk to the rights and freedoms of individuals pursuant to GDPR Article 35(1):

1) Use of personal data on a large-scale for a purpose(s) other than that for which it was initially collected pursuant to GDPR Article 6(4).

2) Profiling vulnerable persons including children to target marketing or online services at such persons.

3) Use of profiling or algorithmic means or special category data as an element to determine access to services or that results in legal or similarly significant effects.

4) Systematically monitoring, tracking or observing individuals’ location or behaviour.

5) Profiling individuals on a large-scale.

6) Processing biometric data to uniquely identify an individual or individuals or enable or allow the identification or authentication of an individual or individuals in combination with any of the other criteria set out in WP29 DPIA Guidelines.

7) Processing genetic data in combination with any of the other criteria set out in WP29 DPIA Guidelines.

8) Indirectly sourcing personal data where GDPR transparency requirements are not being met, including when relying on exemptions based on impossibility or disproportionate effort.

9) Combining, linking or cross-referencing separate datasets where such linking significantly contributes to or is used for profiling or behavioural analysis of individuals, particularly where the data sets are combined from different sources where processing was/is carried out for difference purposes or by different controllers.

10)Large scale processing of personal data where the Data Protection Act 2018 requires “suitable and specific measures” to be taken in order to safeguard the fundamental rights and freedoms of individuals.

This list does not remove the general requirement to carry out proper and effective risk assessment and risk management of proposed data processing operations nor does it exempt the controller from the obligation to ensure compliance with any other obligation of the GDPR or other applicable legislation. Furthermore, it is good practice to carry out a DPIA for any major new project involving the use of personal data, even if there is no specific indication of likely high risk. With reference to point 1 above, where an organisation wishes to use personal data for purposes other than for which it was originally collected, Article 6(4) of the GDPR requires the organisation to do a compatibility test. That test should take into account any links between the original and new purposes, the context in which the data was collected (in particular the relationship between the individual and the organisation, the type of personal data involved (i.e. special categories of data), the possible consequences for individuals of the further processing, and if appropriate safeguards exist (i.e. encryption or pseudonymisation).

Advice: Please see following links for detailed advice on Data Protection Impact Assessments:

http://gdprandyou.ie/data-protection-impact-assessments-dpia/

https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236

Please complete this checklist to see if you are required to complete a Data Protection Impact Assessment: NUI Galway Data Protection Impact Assessment Checklist

If you have decided it is necessary to complete a DPIA. Please see this link for the NUI Galway Data Protection Impact Assessment Template: NUI Galway Data Protection Impact Assessment Template April 2019

The University Data Protection Officer should also be consulted on matters pertaining to Data Protection Impact Assessments.