Research from Egress shows that only 48 per cent of organisations believe themselves to be fully compliant with GDPR. The other 52 per cent are taking the approach that ‘almost’ compliant is good enough.
But is it? So far in the UK, The ICO has focused on large infringements caused by data breaches; the two most notable being Marriott and BA. However, it seems likely that with new initiatives planned by the Information Commissioner such as GDPR Certification and sector specific Code of Conducts the spot light is going to fall on the observance of data handling and processing as well as breach issues.
The study found that for the organisations that weren’t fully compliant most of their compliance effort was made in the build-up of GDPR coming into force; with this effort tailing off significantly in the months after its introduction. For these firms now might be the time to step back up to the plate.
A good way to get back on the proverbial horse is to carry out – or revisit a DPIA – a data protection impact assessment. A DPIA is a way for organisations to systematically and comprehensively analyse their data processing and help identify and minimise data protection risks. They are now a legal requirement for any data processing activity that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputation benefits, helping you demonstrate accountability and building trust and engagement with individuals.
DPIAs should not just consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm – to individuals or to society at large, whether it is physical, material or non-material.
The ICO states that it is important to embed DPIAs into organisational processes because it is not a one-off exercise, but an ongoing exercise.
A DPIA should be carried out before any type of processing that is “likely to result in a high risk” is carried out. High risk is categorised as:
• Evaluation or scoring of data including profiling and predicting
• Automated decision making
• Systematic monitoring of data subjects
• Processing of sensitive information such as criminal convictions, political affiliation etc.
• Data processed on a large scale
• Matching or combining datasets
• Data concerning vulnerable data subjects including children, employees, more vulnerable segments of the population requiring special protection such as the mentally ill, asylum seekers, or the elderly etc.
• Innovative use or applying new technological or organisational solutions
• When the processing in itself “prevents data subjects from exercising a right or using a service or a contract”
The ICO provides guidance on how to carry out a DPIA using the following steps:
1. Identify the need for a DPIA
2. Describe the processing
3. Consider consultation
4. Assess necessity and proportionality
5. Identify and asses risks
6. Identify measures to mitigate risk
7. Sign off and record outcomes
8. Integrate outcomes into a plan
9. Keep under review
They advise that you must seek the advice of your data protection officer, if you have one, or outside data protection experts. A suggested template is also provided which can be downloaded here: sample DPIA template. However, organisation are at liberty to create their own DPIA form.
Finally, although publishing a DPIA is not a requirement of GDPR, the ICO believes there are significant benefits of doing so. As well as demonstrating compliance, publication can help engender trust and confidence from customers and other stakeholders alike.
For further information about DPIAs or help on conducting one please don’t hesitate to contact us.