If you haven’t conducted a DPIA, start here.
I have been working with a number of organisations which have been reviewing their data protection policies and procedures due to recent changes to the Specialist Quality Mark (SQM).1Specialist Quality Mark standard, version 3, Legal Aid Agency, October 2022.
One issue that has emerged is that very few of them have conducted a data privacy impact assessment (DPIA).
Requirement F6.1 of the SQM2Ibid, page 109.
The organisation’s information handling policy must include as a minimum the following:
•Demonstrate compliance with the principal [sic] ‘by Design and by Default’ by having a process to identify when a Data Protection Privacy Impact Assessment is required … (emphasis in original).
The principle requires organisations to ensure that individuals’ data is kept private due to the way systems and procedures are designed. UK GDPR article 35(1) says that you must do a DPIA where a type of processing is likely to result in a high risk to the rights and freedoms of individuals:
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.
Legal practices and advice organisations routinely handle sensitive personal data, often including data relating to children, and so should carry out DPIAs. The intention is that they should be carried out before the organisation adopts new software or ways of capturing or processing data, as they should indicate any potential weaknesses in the system before it is implemented. This provides an opportunity to eliminate them, or to decide that the new system simply cannot be made sufficiently robust and should not be adopted.
If this requirement has passed you by, you won’t be alone, probably because this aspect of GDPR received much less publicity than, for example, the need for a lawful basis to hold data. If you are conducting a DPIA for the first time, there is some useful guidance on the Information Commissioner’s Office (ICO) website
and you can obtain advice from the ICO on issues arising from your DPIA, if needed.
Steps for conducting a DPIA
•Describe the nature, scope, context and purposes of the processing. You may have a data asset register that will help you with this.
•Conduct a data audit to ensure that you truly understand how people in your organisation are holding data – they may be using systems that you are not aware of, especially since having to adapt quickly to remote working during the pandemic.
•Questions to include:
•Why do we hold it?
•What is the lawful basis?
•Where do we hold it?
•Who uses it?
•Do we share it with anyone?
•Is the data sent to third countries not covered by GDPR? (Remember, ‘the cloud’ doesn’t really exist. Everything is held on a physical server in a geographical location.)
•What would be the privacy impact of any breach?
•What safeguards do we have in place?
•It’s important to conduct your audit in a way that will encourage people to be open and honest with you. If they think they are going to be punished, they are unlikely to tell you about anything they are using as a workaround that isn’t officially authorised.
•Don’t forget things like personal data submitted via the contact form on your website. Does your web host keep a copy of the data?
•Ensure that the organisation really needs all the data and that you are not keeping it for longer than necessary.
•Document the safeguards that you have in place and ask yourself if they are truly adequate.
•Record your DPIA and any changes you have made as a result.