Data Protection By Design and the GDPR

The GDPR places considerable importance on taking a ‘data protection by design’ approach when it comes to using personal data. In simple terms, this means that whenever you use personal data, privacy and data protection should be key considerations from the very beginning.

A Privacy Impact Assessment, now known (inevitably by a longer name) as a Data Protection Impact Assessment, is a valuable tool in this regard.

The purpose of a PIA or DPIA is to document the identification of privacy risks in a project, the proposed solutions, the evaluation of those solutions, the agreed solutions, and the integration of those solutions into the overall project plan. Ideally, risks will be eliminated or significantly minimised, allowing the project to proceed unhindered and protecting the rights of individuals.

Do I Need to do a Privacy Impact Assessment?

Officially, that depends. The GDPR has three criteria to determine whether or not a PIA (DPIA) is required. The ICO bulks this up somewhat with a further list.

In many cases, as is clear from these lists, it may not be strictly necessary for many SMEs to carry out an assessment. However, it is still good practice. You will be bound by the GDPR’s requirements (and threatened with its penalties) whenever you use any personal data for any purpose. By baking-in solutions to potential privacy problems from the word go, you are taking a much safer approach to data protection.

Under the GDPR, you must carry out a PIA if you plan to:
- Carry out systematic and extensive profiling that will have significant effects;
- Process sensitive personal data (or data about criminal offences) on a large scale; or
- Systematically monitor public spaces on a large scale.

Under the ICO’s list, you must carry out a PIA if you are:
- Using new technologies;
- Using profiling or sensitive personal data to determine individuals’ access to services;
- Profiling individuals on a large scale;
- Processing biometric or genetic data;
- Matching or combining data from multiple sources;
- Collecting personal data from a source other than an individual without providing the individual with a privacy notice (known as ‘invisible processing’);
- Tracking individuals’ location or behaviour;
- Profiling children or targeting services to them; or
- Processing data that may endanger individuals’ physical health or safety if a security breach occurs.

New Privacy Impact Assessment Template

To get you started in the right way (the GDPR way!) we have published a new Privacy Impact Assessment template which will assist in documenting the information flows, privacy risks, proposed solutions, the evaluation of those solutions, and the integration of the agreed solutions into your project plan.

In addition, the template comes pre-loaded with a number of common privacy risks and possible solutions. It is vital, however, that these are just your starting point. Assess carefully the potential risks in your project, adding them and their solutions to the relevant parts of the form. A Privacy Impact Assessment is not something to be taken lightly, especially if you do meet one of the GDPR or ICO criteria. If in doubt, consult the ICO, and also note that if you cannot find a suitable solution to a privacy risk, the ICO must be consulted before you proceed.