What is a DPIA? (Data Protection Impact Assessment)

Did you receive a text recently, apparently from the NHS, telling you that all adults need to receive the Covid booster? You might assume all the data related issues were worked through before the text was sent, perhaps in a Data Protection Impact Assessment (DPIA). In this article I’m considering the question “what is a DPIA?” As well as what a DPIA shouldn’t be.

Data Protection experts discussed the legality of the recent Covid booster text on Twitter, with many people arguing that the text was necessary and justified under any one of a variety of legal bases.

Never one to go with the flow though, I wasn’t easily convinced; the very fact that people on the Internet had to guess what the sender’s legal basis was, means the sending of the text fell at the first fence of Transparency. (It didn’t help, to my mind, that the sender was actually the network providers, at the request of the Government, rather than the NHS as it showed up as.)

One well known privacy and data protection lawyer tweeted a “mini-data protection impact assessment” to support his stance that the text was lawful.

One thing that struck me though, from that mini-DPIA and the other tweets, was the lack of focus on two things…Impact – the “I” in DPIA – and demonstrating compliance.

Legal definition of a DPIA

The (UK)GDPR Article 35 states (with my own emphasis):

“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”

Leaving aside the difficulty of identifying when processing “is likely to result in a high risk to the rights and freedoms of natural persons” without carrying out an impact assessment, or at least a pre-assessment assessment (I’ll write about that soon), let’s look at what a DPIA should cover.

There is no set format or template for a DPIA, but coming back to the (UK)GDPR, with my emphasis again:

“The assessment shall contain at least:

(a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

(c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and

(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.”

DPIAs in practice

At CP Data Protection, we start by trying to get clarity on what the processing is designed to achieve, and just as importantly, whether the processing is even likely to achieve that outcome.

Then we consider all the ways the processing could impact on the data subjects; including both positive and negative effects, and including if things go to plan, or if the data is breached somehow. (I’ve discussed how to brainstorm the potential ways things could go wrong in previous articles and I’ll touch on it again in the next one. Please see the links below.)

These actions cover points a, b and c above, which brings us to (d) “the measures envisaged to address the risks…” This is where we think about what needs to be done in order to protect the personal data of course, but also “to demonstrate compliance with this Regulation.”

Much like the ‘Accountability Principle’ (Article 5(2)), this means that we should be doing more than protecting data from security breaches.

We should be ensuring, for starters, that we’re complying with the rest of Article 5(1): data processing that is fair, lawful and transparent; processing is for limited purposes; data minimisation; accuracy; and storage limitation.

Then there’s upholding the rights of data subjects, working with processors if relevant, and dealing effectively with any breaches.

AND we should be able to show we’ve considered all these things, and taken steps to achieve them.

In conclusion, to answer the question, “what is a DPIA”, it’s safe to say a DPIA is not a simple task; a DPIA is a process to help identify, and manage, the potential impacts of data processing and to help ensure the processing complies with data protection law.

It’s helpful to use a template as a starting point for a DPIA, that includes sections for all the questions we’ve discussed in this article, but be sure to add a little imagination too. It’s important to keep an open mind about the processing and especially:

1) the purpose and necessity of the processing, which should be weighed against;

2) the potential negative effects on data subjects.

The Covid booster text

To finish off by considering the Covid booster text again, despite many guesses as to the legal basis relied on for sending it, some of them sensible and one of them pretty convincing, they remained just that – guesses – because the Government failed to clearly communicate the legal basis. So as I said, I believe it’s clear that the sending of the text failed at transparent processing. It’s anyone’s guess if the Government considered the necessity of sending the text, and whether it was likely to have the desired effect, or if it could confuse or upset any of the recipients.

In the Twitter discussions I got the distinct impression that many of the commentators felt that being anti the text equalled being anti-vaxx, and that no harm could come from a simple text message. You won’t be surprised to hear that I strongly disagree with both of those positions!

For what it’s worth, I had my booster the same day as I joined in the Twitter debate, and I know people who were confused by receiving the text and it’s not a long jump to imagine people being upset or suspicious about it.

What’s next?

In our next DPIA article I’ll discuss some tips for keeping an open mind when carrying out a DPIA. To find out when it’s published, and see it first, sign up to receive emails here:

Other articles you might find interesting:

Privacy by Design – baking in data protection

When and where you should consider data protection in projects

How to carry out a DPIA – an overview

How to manage data protection risks when buying software – Includes a FREE checklist

What are the benefits of good data protection?

If you have any questions about data protection, either about DPIAs or anything else related to personal data, book a free 15 mins call!

Clare draws on over 20 years of experience in risk management and quality assurance, including ten years in data protection, to provide clear and practical advice and training.

Don’t tell everyone (shh!) but Clare’s favourite sector is social housing, having worked in a large housing association for 12 years, although she loves to support all values-led organisations.