England’s new test and trace programme has been deemed to be in breach of the GDPR (General Data Protection Regulations). This is due to the fact that a Data Protection Impact Assessment was not carried out. The scale, the sensitivity and the public focus of the coronavirus test and trace programme means protecting citizens data and their privacy rights must be a priority.
In this article, we’ll discuss what a Data Protection Impact Assessment is, when you will need it and why it is important. This post applies to any company that controls and uses personal information.
What is a Data Protection Impact Assessment?
A Data Protection Impact Assessment (DPIA) is a systematic process which you must carry out to identify and minimise any data protection and privacy risks which a project may bring about. It is a legal requirement in the GDPR that a DPIA must be carried out when the use of personal data is likely to pose a high risk to individuals.
Why is a Data Protection Impact Assessment Important?
Within your business, it is vital you handle personal information in line with the GDPR because the consequences of breaching it can be hugely detrimental, reputationally and financially.
Knowing the privacy risks brought about through new processes or projects in your business is essential for mitigating them. You cannot put in place appropriate measures to keep personal information secure and handle it in line with the GDPR if you don’t know about areas of weakness throughout your business processes.
The process of completing a DPIA helps you to map out where personal data flows throughout the organisation, including to Third Parties. Understanding all points where data is transferred and stored can help you ensure that throughout its journey, the appropriate security measures are in put in place.
Finally, the DPIA allows you to check whether the project or process you wish to put in place complies with an individual’s rights. The scope and purpose of how you will use personal data needs to be described as part of the DPIA, and this allows you to ensure the activities are necessary, proportionate, and lawful.
Failure to understand your privacy risks is a recipe for disaster.
Data Protection Impact Assessment Process
In order to ensure you build in the time and necessary steps for a DPIA into your project timescales, here is a process checklist for you to use:
- Identify if you need a DPIA. Are you processing personal information which could pose a high risk to an individual’s privacy rights?
- Describe the personal information used and how it will be processed. At this point it is worth considering whether consulting individuals (data subjects) and stakeholders would be worthwhile.
- Assess whether the activities being introduced and the way in which personal data is being proposed to be processed is necessary and proportionate.
- Identify and measure any risks. For more information on risk management and scoring check out our blog.
- Identify mitigation actions and develop an action plan.
- Sign off the DPIA and record risks and outcomes in the relevant register.
- Integrate mitigations and outcomes into project plan.
- Decide review points and ensure the DPIA is kept up to date.
The fines that can be issued under the GDPR are significant, so it is important to ensure you are operating in line with the regulation. From this post, I’m sure you can understand why a DPIA would absolutely be required for England’s coronavirus test and trace project. To see the full news article please visit this BBC News link. Also, for more information on the GDPR please visit the Information Commissioners Officer website.
If you would like help with regards to DPIA’s, wider compliance with the GDPR or information security then we would love to hear from you. We can offer consultation on an hourly or daily basis so please contact us.