A Data Protection Impact Assessment (“DPIA”) is a process which helps employers to identify, analyse and minimise the data protection risks of a project. But when should employers be using a DPIA and what makes a DPIA effective?
When should employers be using a DPIA?
The Data Protection Act 2018 (the Act) states that a DPIA must be implemented before any processing is undertaken which is “likely to result in a high risk” to individuals. The Information Commissioners Office (ICO) provides greater clarity on this, by also requiring a DPIA in certain specified situations.
It is important when assessing whether something is high risk to consider not just the likelihood of harm occurring but also the severity of that harm on individual employees. So, for instance, harm which is very likely and harm which is less likely but very serious, are both likely to be deemed high risk.
From an employer’s perspective, the most likely scenarios giving rise to a need to complete a DPIA include where an employer plans to introduce the use of:
1. Profiling (i.e. automated processing of data to analyse or to make predictions about individuals) or processing special category data to decide on things such as:
a) access to employee benefits,
b) services or sanctions, such as automated decision-making in recruitment; or
c) introducing a drug and alcohol testing policy within the workplace;
2. biometric data, for instance fingerprint or retinal scanners to access the workplace;
3. tracking devices to record individuals’ location or behaviour, such as tachographs within company vehicles or CCTV monitors in a warehouse;
4. electronic surveillance of employee activity whilst at work (such as monitoring internet and email usage).
Given the current pandemic, employers who are considering asking employees to complete a health questionnaire or Covid-19 related testing (such as lateral flow tests carried out in the workplace), both of which are particularly relevant as we see an increase in employees returning to the workplace, could also trigger the need to complete a DPIA.
Even in situations where a high risk is not identified, it might be good practice for an employer to complete a DPIA to instil confidence in employees about the decisions being made. In short, employers should complete a DPIA for any major project which requires the processing of employee personal data.
Using a DPIA effectively
It is important that the DPIA is completed prior to the processing or monitoring being implemented.
Guidance from the ICO suggests that an effective DPIA should:
- describe the nature, scope, context and purpose of the processing;
- assess the need for the activity in question, whether the activity is proportionate to that need and compliance measures adopted;
- identify and assess the risks to the individual employees’ rights and interests; and
- identify any additional measures put in place by the employer to mitigate those risks.
Employers who have a data protection officer should involve them in completion of the DPIA, along with any other relevant experts or stakeholders.
It is important that the DPIA covers not only the organisation’s compliance with the Act, but also balances the rights of the individual employee’s whose personal data is being processed. A good DPIA will help an employer evidence that:
- it has considered the risks related to the intended processing/monitoring; and
- it has met its broader data protection obligations.
Once the DPIA is completed, it should be signed off and any mitigation measures identified put into place to enable the proposed activity to begin.
Where a DPIA identifies a high risk that cannot be sufficiently mitigated, then the employer will either have to decide not to go ahead with that particular processing/monitoring or seek further guidance from the ICO.
It is also important that the DPIA is kept under review and updated should there be any change in the processing activity.
What happens if an employer doesn’t complete the DPIA?
A failure to complete a DPIA will not in itself be a data breach. However, it may mean that an employer undertakes processing of employee data in a way which does constitute a data breach because the appropriate mitigation measures have not been identified or implemented.
Similarly, a failure to conduct a DPIA adequately can potentially also lead to a breach where appropriate measures have not been implemented. In such situations the ICO could advise the employer to stop the processing until those measures are put in place, issue a formal warning or ban the processing altogether.
Top tips for handling a DPIA
1. Be as clear and transparent as possible.
2. When assessing the level of risk, consider not only whether harm could be caused, but the severity of harm caused.
3. Consider how any risks might be mitigated.
4. Continue to review and update the DPIA when possible.
If you are would like assistance with the preparation of a DPIA please contact one of us.