The session was centred on considerations when it comes to Data Protection Impact Assessments.

When should a DPIA be carried out:

The current legal position is that a DPIA needs to be completed before carrying out types of new or changed processing that is likely to result in a high risk to individuals’ interests. The reason for this is to assess the level of risk and whether you will be able to mitigate against such risk. If you cannot mitigate the risk, and the risk remains high, you must consult with the ICO before carrying out this practice.

Specifically, DPIAs must be done in the following situations:

• Using systematic or extensive profiling with significant effects;
• Processing special category or criminal offence data on a large scale;
• Systematically monitor publicly accessible places on a large scale.

Judicium’s advice is to complete a DPIA when using any new technologies / systems. This will ensure you will be able to assess it fully prior to use, minimising any potential risk to an individual’s data privacy. The more sensitive the data used, the more likely a DPIA needs to be done.

Examples of when to carry out a DPIAs:

• Introducing biometrics
• Introducing or extending your CCTV systems
• Introducing a new parent app.
• Moving your safeguarding records to a new electronic app.
• Using more intrusive technologies (such as those that record or track and monitor individuals).
• Holding intrusive and sensitive data.

What the ICO considers to be High Risk:

The 10 areas the ICO deems to be high risk are:

1. Innovative technology: Processing involving the use of innovative technologies, or the novel application of existing technologies (including AI).
2. Denial of service: Decisions about an individual’s access to a product, service, opportunity or benefit that is based to any extent on automated decision-making (including profiling) or involves the processing of special category data.
3. Large-scale profiling: Any profiling of individuals on a large scale.
4. Biometrics: Any processing of biometric data.
5. Genetic data: Any processing of genetic data, other than that processed by an individual GP / Health professional for the provision of health care direct to the data subject.
6. Data matching: Combining, comparing or matching personal data obtained from multiple sources.
7. Invisible processing: Processing of personal data that has not been obtained directly from the data subject, in circumstances where the controller considers that compliance with Article 14 would prove impossible or involve disproportionate effort.
8. Tracking: Processing which involves tracking an individual’s geolocation or behaviour, including but not limited to the online environment.
9. Targeting of children / other vulnerable individuals: The use of the personal data of children or other vulnerable individuals for marketing purposes, profiling or other automated decision-making, or if you intend to offer online services directly to children.
10. Risk of physical harm: Where the processing is of such a nature that a personal data breach could jeopardise the physical health or safety of individuals.

These are not all mandatory on their own, but are when combined with EU guidance on indicators of high-risk. These high-risk indicators include:

• Evaluation or scoring.
• Automated decision-making with legal or similar significant effect.
• Systematic monitoring.
• Sensitive data or data of a highly personal nature.
• Data processed on a large scale.
• Matching or combining datasets.
• Data concerning vulnerable data subjects.
• Innovative use or applying new technological or organisational solutions.
• Preventing data subjects from exercising a right or using a service or contract

Judicium’s advice is that if any of the above are applicable, it would be best to do a DPIA.

Why are DPIAs important to do:

The most obvious reason is because in some situations we have to. But other reasons include:

• Can help you identify risks / possibly identify when we might be using data we don’t need.
• It helps you consider ways in which you can minimise any negative impact to individuals.
• Helps to consider issues prior to implementation. By addressing the issues early on (or not dealing with a risky process) this might also reduce cost, for example making processes more straightforward, collecting less data.
• It will help improve public trust and ensure good practice across the organisation, as it shows that you treat individual’s data seriously.
• It helps to ensure you have a data protection by design / default approach which is built within the regulations. This essentially means that you consider Data Protection and build it into your practices, rather than wait until something goes wrong. Thus, all about embedding a pro-active GDPR culture in your organisation.
• Finally, for accountability purposes – It helps you evidence that you comply with the Data Protection regulations.
• Besides all the above, you could potentially be fined by the ICO if you do not do them.

It is important to engage in the process and not see it as an Academic / Check box exercise.

Best ways to complete a DPIA:

Firstly, DPIAS must include:

1) Nature, scope, context and purposes of the processing
2) Assess necessity, proportionality and compliance measures
3) Identify and assess risks
4) Identify additional measures to mitigate those risks.

Top Tips for completing DPIAs include:

• Always assess the software you will be using against the Data Protection principles. How will they be kept secured? How long will we retain the data? Have we established our lawful basis? How will we be transparent with those whose data we use?
• Review any third parties’ policies and systems to ensure there are no risks from their practices, for example where they transfer data outside the EEA.
• When reviewing risk – consider both the likelihood of risk and the severity of risk.
• Make sure the DPIA is done before using the new system where possible. Individuals should factor in the time it will take to complete DPIAs, as sometimes it takes time to investigate / discuss matters with providers.
• Make sure you run your DPIA past your DPO and get their sign off.
• Keep your DPIAs under review, as it’s hard to predict every eventuality. Also ensure that what you say will happen actually gets put into place.

Common myths / problems around DPIAs:

• GDPR means we can’t share data in a particular way – This is not true, if it was that risky, you can consider a DPIA. This can help you identify and minimise any risks. It also helps promote trust in the way that you have thought about this before doing a particular exercise.
• DPIAs are a burden – They don’t have to be. Consider the best way to work them into the organisation. If you are over-using them then maybe consider if you need to do be doing that many. They also need to be of some use. Don’t treat them as an academic exercise.
• DPIAs are the DPO responsibility – This is not the case, generally they are a team effort. The DPO can help identify risks, but usually it will be other staff who are actually using the data. This will enable them to consider and use it in a safe way.
• You have to do DPIAs for everything – This is not true. Essentially, DPIAs need to be done in things where it’s high-risk. It is also best practice to do for when you are using new software / systems. There is also no need to do a retrospective DPIAs, unless you have identified inherent risks that you will have to address.

If you require any support in any of these steps, or would like to talk to someone surrounding some support for your school please do not hesitate to call us on 0203 326 9174 or email tara.jones@judicium.com.