Procedure for Data Protection Impact Assessments at Queen Mary University of London
What is a Data Protection Impact Assessment?
‘Data protection by design and by default’ is an approach mandated by the GDPR. A Data Protection Impact Assessment (DPIA) is a key component of this. A DPIA is a process designed to help an organisation to identify and minimise the privacy and security risks that may arise when systems, services, procedures or policies are changed or introduced. A DPIA can also be used for research projects.
These risks include mainly risks to individuals, in terms of damage and distress caused when personal data is mishandled, and organisational risks, such as financial and reputational damage resulting from data breaches.
The outcome of a DPIA should be a reduction in risk to the rights and freedoms of individuals whose personal data is to be processed and improved compliance with data protection legislation. In certain circumstances, it is a legal requirement to carry out a DPIA. Consideration of whether a DPIA is required is therefore an important stage in any project plan.
When is a DPIA required?
Under the GDPR, a DPIA is mandatory for certain types of processing, or any other processing that is likely to result in a high risk to individuals’ interests. The ICO has set out criteria here.
Even where the risk to individuals is not judged to be high, DPIAs should be considered for any new projects, and policy or service changes, involving use of personal data. Some examples of when a DPIA might be appropriate include: migration of personal data from one system to another; using a new system or application, or an existing one in a different way to the past; adopting new technology that may be untried.
They should be considered at an early stage, where there is the greatest scope for addressing risks and influencing project design and implementation, such as when the business case is first drafted or research study being designed.
DPIAs can be run alongside or be integrated with other project activities.
Why carry out a DPIA?
There are a number of benefits:
- Assurance that we have followed the law and best practice.
- Improved transparency. Makes it easier for people to understand how and why their personal data is being used.
- Reduction or elimination of risks to individuals.
- Demonstrates accountability.
- Increased awareness of privacy and data protection issues across the organisation.
- Financial benefits. Early identification of data protection problems can be less costly and ongoing costs can be reduced if use of personal data is minimised.
Who conducts the DPIA?
The Data Protection Officer has overall responsibility for DPIAs across the organisation. However, much of the DPIA process can be completed by the project team in consultation with the Records & Information Compliance Manager, using the DPIA template documents (see below for details).
Ideally, a member of the project or research team should be identified as having responsibility for overseeing the DPIA. The Records & Information Compliance Manager will work with the team to provide advice and guidance and ensure the necessary documentation is completed. The DPO will be consulted and sign-off.
What do the project team need to know about data protection?
Although data protection legislation underpins the DPIA, it is not necessary for project teams to have in-depth knowledge of the current data protection law. However, it should be noted that data protection training is important and encouraged for all Queen Mary staff.
What steps will the DPIA involve?
- Identify the need for a DPIA This stage should be done for all projects, big and small, to identify what – if any – further action is required. Consult with the Records & Information Compliance Manager if necessary.
- Describe the information flows The project team will complete this stage.
- Identify the privacy and related risks The Records & Information Compliance Manager will work with the project team to complete this stage.
- Identify and evaluate the data protection solutions The Records & Information Compliance Manager will work with the project team to complete this stage.
- Sign off and record the DPIA outcomes The Records & Information Compliance Manager will work with the project team to complete this stage. The DPO will ultimately provide sign-off.
- Integrate the outcomes into the project plan The project team will complete this stage.
At all stages: Consult with internal and external stakeholders as needed throughout the process.
All steps should be completed for large projects and those involving sensitive or large amounts of personal data. For smaller, lower-risk projects not all steps may be required.
Where can I get a template for a DPIA?
We use the Information Commissioner’s Office’s template available from https://ico.org.uk/media/for-organisations/documents/2553993/dpia-template.docx
What happens after a DPIA?
On completion of a full-scale DPIA, the project team and the DPO should have a set of completed documentation.
The results of the DPIA should be fed back into the project management process (see steps 5 & 6 above) to be considered at project closure, post-project review and lessons learned. If the project aims evolve throughout the process, the project team should review step 1, to ensure the DPIA is still required or fit for purpose.
The Information Commissioner recommends organisations publish the outcome of a DPIA. Any DPIA documentation (including associated emails) may also be requested under the Freedom of Information Act 2000. Proactive publication improves transparency and can be an important part of a project’s communication plans, however it may be that some aspects of the DPIA are commercially sensitive. Such information should be clearly identified within the documentation.