How to carry out a Data Protection Risk Assessment

In our last post – click here to read it – we talked about the types of project and policy work where data protection should be considered, and where to get prompts included in the right places – the right paperwork and meeting agendas especially. Now let’s explore ideas for those prompts, and how to carry out a data protection risk assessment or a Data Protection Impact Assessment (DPIA) to identify and measure risks in the most useful way.

Remember, these prompts and questions should be used, or a DPIA carried out, in the early planning stages of a project or new policy, not at sign-off, when the answers might lead to a lot of unravelling, and data protection being seen as an obstacle.

You will know how to word these questions to suit your organisation’s language, or if you can get your communications colleagues to help out with the wording, that’s even better. So you won’t want to copy and paste, but these are the types of things you need to ascertain about any project/policy that involves handling personal data.

Going back to the examples we used last week, you and your colleagues should have already identified that the project/policy does involve some kind of personal data, and identified the goal and purpose for the project/policy. Now we dig a little deeper:

1. What specific categories of data are you planning to use? Remembering that data doesn’t have to include a name to be “personal”.
2. Challenge each of those categories of data – do you really NEED to use it? Or is it a nice-to-have? Is there another way to achieve the goal or purpose that needs less data, or even no data?

(An example of this: you might think you need to ask a question about a housing applicant’s age, when you could just make it clear at the advert stage that this home is only for over 55s, so people can self-select.)

3. Considering the goal and purpose of the work being undertaken, can you align this with an Article 6 legal basis under the GDPR, and Article 9 for any of the data that is “special categories” (taking into account the Data Protection Act 2018 detail of the Substantial Public Interest legal basis)?

N.B. If you had to stretch to find that legal basis – there’s a risk right there!

4. Is the way you plan to use personal data transparent? Is it in your Privacy Notice, on the form used to collect the data, explained verbally, as appropriate? If you’re not planning to be transparent… WHY? If there’s no exemption in the DPA2018 to the transparency requirement, and it’s because people are likely to be upset by the planned processing, that’s a big red flag!
5. Time for the fun bit – brainstorming all the ways things could go wrong!

The idea is for you and your colleagues to stop thinking like yourselves – it’s no good thinking like the nice, kind, safe people you are. First of all, you need to put yourself in the shoes of the data subjects, remembering that not everyone has the same life experiences as you might have.

An example of this: if you’re lucky enough to have good family relationships, you might assume that parents always do what’s best for their children so there’s no problem with sharing a child’s data with their parents, but sadly that’s not the case, and you might not be acting in a child’s best interests by telling their parents something.

The other part of putting yourself in the data subject’s place, is remembering that everyone is an individual and will not always conform to the stereotype of a particular age group for example. It can be useful to think “how would I feel if I received this letter or email?” Or “if my mum/brother/friend received it?”

Once you’ve got your head around being in the data subject’s place, you need to move again, and this time you want to try and get inside the heads of criminals, bigots, fraudsters – basically anyone who doesn’t share your ethics and morals. Use your imagination, and think “how could this data be mis-used?”

6. The things that get brought up in step 5 are your main risks, and you might have already listed some when answering the earlier questions. As you list your risks, more and more might occur to you; keep adding them to the list. Now to assess the risks and give them a risk score.
7. Medium to large organisations will probably already have a risk assessment matrix you use, but if not, it can be as simple as 3 levels of impact (low, medium, high) multiplied by 3 levels of likelihood (low, medium, high), giving you low, medium or high risk. You can use numbers if you prefer. The important thing is to define each level. For example, impact could be measured by how upset a person would be by the proposed processing, or how much of a difference it would make to a person’s life if they didn’t get a job based on the data processing, or on the number of people who might be affected. On a corporate level, consider for example the impact on resources if someone brought a legal claim against you for unfair employment practices based on the processing. You’ll notice these aren’t directly related to Data Protection law – that’s because Data Protection is about protecting all rights and freedoms of data subjects, not just the data-related rights listed in the GDPR. Make sure you include those “normal” DP law risks too, such as the risk of restricting data subjects’ right to be informed or to access their data, the risk of a data breach, or the risk of a Processor failing in their responsibilities.Likelihood should be measured by estimating how many times the risk outcome would occur if there were no controls in place and no consideration given to data protection and data security. Low might be once every 5 years, high might be every day or every month. It depends on your organisation’s appetite for risk.

An enlightening further step is to take the answers to step 5 and feed them back into the process; start at step 1 again, with the fears and feelings of the data subjects and the intentions of the bad guys at the top of your mind. Do steps 1 to 4 give you different answers this time?

Let me know if the ideas and prompts in this post are useful, and do share your own risk assessment processes, it’s great to hear how different organisations do things.

In the next blog post we’ll look at controls for the risks, and what to do if the DP lead and the project team have differing views about the risks and the controls.

If you’d like to know when that post is published, please click here to join our mailing list. You’ll also receive a free DP health check template, and tips on data protection.

Written by Clare Paterson, Director of CPDP, who has more than 20 years of experience in quality assurance and risk management, including around nine years in data protection.