What is a Data Protection Impact Assessment?

A Data Protection Impact Assessment (DPIA) is an essential part of the Council's accountability obligations under the General Data Protection Regulation (GDPR) enabling the Council to assess and demonstrate compliance with its data protection obligations.

These assessments should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for significant social or economic disadvantage.

Why are Data Protection Impact Assessments needed?

Under GDPR, these assessments are a legal requirement for any type of processing, including certain specified types of processing that are likely to result in a 'high risk to an individual's rights and freedoms'.

The GDPR lists three examples shown below of types of processing that automatically require a DPIA:

systematic and extensive profiling with significant effects;
large scale use of sensitive data; and
public monitoring

Failure to carry out a DPIA when required may lead to enforcement action by the ICO which can include a fine of up to £8.6m.

How does the Council use a Data Protection Impact Assessment?

An assessment begins in the early life of a project, prior to the start of using the data and runs alongside the planning and development process.

Throughout the assessment process involvement will be sought from the business lead, the Data Protection Officer, information security staff, organisations contracted with the Council, legal advisors or other experts and where relevant members of the public.

Data Protection Impact Assessments are not a one-off exercise, they are an ongoing process to help in managing and reviewing the risks of the processing and the measures put in place, particularly where there are significant changes to how and why personal data has been processed, the amount of data collected, a new security flaw identified, and new technology available or a new public concern is raised over the type of processing.

Although assessments cannot completely remove all risk, they should be used to identify and minimise data protection risks to a level that is acceptable.

In circumstances where the council are not able to reduce high risks, the ICO will be consulted.

How do Data Protection Impact Assessments promote transparency and demonstrate GDPR compliance?

A consistent use of these assessments not only increases the awareness of privacy and data protection issues but also ensures that all Council staff involved in the process adopt the 'data protection by design' approach.

Data Protection Impact Assessments enable problems to be identified and fixed at an early stage which in turn can provide our customers with reassurance that their privacy is being protected and any negative impact can be reduced as much as possible.

More detailed information on Data Protection Impact Assessments can be found on the ICO's website.