The Information Commissioner’s Office (ICO) has recently updated its guidance on conducting DPIAs following guidance and recommendations from the European Data Protection Board.
A DPIA is mandatory if you are carrying out processing which is likely to result in a high risk to individuals. The GDPR requires controllers to go through a DPIA process if they plan to:
But, the three examples of high risk processing identified in the GDPR are not exhaustive. The ICO’s newly updated guidance is helpful in determining whether those processing operations that do not fit neatly into one or more of the three categories above warrant a DPIA because they are high risk.
The ICO directs those who are assessing whether or not their processing is high risk to consider the guidelines on DPIAs (WP248 rev 01) adopted by the Article 29 Working Party and endorsed by the European Data Protection Board (the “European guidelines”). The European guidelines contain nine criteria for assessing high risk processing operations, summarised here:
If your processing covers two or more of these criteria then the European guidelines state that a DPIA will be required in most cases but beware too that processing including only one of the criteria can also be high risk and require a DPIA. The European guidelines also contain useful examples as to how the criteria can be used effectively.
The ICO guidelines then provide a further list of processing operations in respect of which the ICO requires a DPIA:
The ICO has to a certain degree relaxed its own criteria for determining high risk processing, in that a DPIA is now only mandatory for the use of biometric data, genetic data or innovative technology when combined with one of the criteria from the European guidelines.
Finally, a brief reminder as to why it is important to make the correct decision when it comes to DPIAs: failure to carry out a mandatory DPIA may result in enforcement action, including an administrative fine of up to €10 million, or 2% of global annual turnover if higher. So, it can’t be wrong to carry out a DPIA, the consequences can be serious if you are required to undertake a DPIA but fail to do so.
Sian Barr is a Senior Associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at sbarr@foxwilliams.com