In the last article about Data Protection Impact Assessments (DPIAs), we explored three techniques to help identify the ways people could be impacted by your planned processing, as part of the risk assessment part of a DPIA. In this article we’ll look at the process-based risks of a new project or policy, caused by data storage, IT, suppliers, and so on.
To re-cap, a DPIA should cover (as laid down in the GDPR):
(a) a description of the planned processing and its purpose(s);
(b) an assessment of the necessity and proportionality of the processing in relation to the purposes;
(c) an assessment of the risks to the rights and freedoms of the data subjects; and
(d) the measures envisaged to address the risks.
For what it’s worth, I think parts (b) and (c) should be the other way around, but anyway, when doing part (c) an assessment of the risks, I believe we need to use our imagination. But we can make it easier by working through a checklist, like the one we talked about last time for identifying people-based risks; consider people with different characteristics, consider people with different life experiences, and challenge the use of stereotypes or other generalisations in your planned processing.
When working through the points below as part of a DPIA, continue to use your imagination and broaden your thinking. Another golden rule for this checklist is my favourite mantra:
Take nothing for granted!
I’ll explain why that’s so important as we go.
Before we jump into this checklist, we need to make sure we’ve done part (a) of the DPIA, describing the planned processing and its purpose. This could mean mapping out your process and data flows in a simple list, or in a diagram.
From the process map, we can explore two key areas – WHERE the data goes, and WHO is involved in touching the data in any way.
WHERE: Look at the process map & consider where the data is moving around, externally & internally.
- Start at the point of the data being collected, then look at where it’s stored, then every time the data is entered into a system, every time it’s analysed, every time it’s shared, where it’s archived, and where it goes to be destroyed.
- For each data transfer that’s been identified, consider if each step is necessary for the purpose or if there are any unnecessary transfers, and consider what could go wrong. This is where the imagination comes in, as well as taking nothing for granted. Obtain and document proof for all the answers.
- Is it secure?
- Could a data-entry error happen?
- Could data be sent to the wrong place/person/email?
- For each use of the data, has a clear legal basis been identified?
- If the legal basis is consent, do you have a robust consent mechanism?
WHO: Now think about all the people and organisations involved in the project and/or planned processing.
- Consider the employees involved in the project and who will be involved in the planned data processing – are there any special risks linked to any of them, including conflicts of interest or risk of misuse/breach of data by a disgruntled or stressed employee? It does happen!
- Will you be working with an external consultant, or any other organisation as part of the project or policy? Including using bought-in server storage, software, an app, or anything similar. It could be as part of the project delivery, or the outcome of the project/policy could involve the use of an IT or any other supplier, or perhaps both. This is where we should be especially careful to take nothing for granted.
- Before you allow any external people or organisations to access any of the personal data (or otherwise confidential data), have you carried out due diligence, checked the contract for data processing clauses, international transfers and any problematic indemnities, and had the contract executed at the appropriate level of authority?
- The risk and responsibility is yours, not the external contractor’s or supplier’s so you need to obtain your own, impartial assurances. See How to manage data protection risks when buying software, which includes access to a ready-to-use checklist.)
- Your Procurement Policy might only require due diligence and a legal review of the paperwork if the contract is worth more than a certain monetary value. But these points all apply regardless of the value of the contract, if any personal data processing will be carried out by the supplier/consultant.
The next steps
Combining the answers from the above with the answers from the prompts you used to identify risks to different people (from the last DPIA article) will identify the key data protection related risks from your planned processing.
On a positive note, following the steps such as checking for conflicts of interest and reviewing contracts can provide assurances that at least some of the risks are being controlled.
For any uncontrolled risks identified, feed them back into your DPIA and work on agreeing mitigations and control measures. Remember that your organisation might be happy to accept some of the risks without putting controls in place, and as the Data Protection Officer (DPO) you can only advise, you can’t force your organisation to take your advice. See our article on Controls and conflict in DPIAs for more information and tips on agreeing appropriate control measures.
How we can help
We can offer tailored support to help you identify and manage your data protection risks, with document templates, training and ad hoc advice. Click on the link below that matches the work you do:
Other articles you might like
Clare draws on over 20 years of experience in risk management and quality assurance, including ten years in data protection, to provide clear and practical advice and training.
Don’t tell everyone (shh!) but Clare’s favourite sector is social housing, having worked in a large housing association for 12 years, although she loves to support all values-led organisations.
If you have any questions about data protection, either about DPIAs or anything else related to personal data, book a free call!