The nine “no-nos” of DPIAs
The Outsourced DPO has been asked to critique some customer DPIAs recently and has made the following observations.
1 Complex forms
There seems to be a hugely complicated forms that need to be filled in to record the DPIA running in some cases to 20 pages. This acts as a big deterrent for lay people or project managers to complete a DPIA. Keep the DPIA forms simple and relevant.
2 Focus on the process
In reviewing the DPIAs the emphasis seems to be on working through and completing the form rather than on critically interrogating and analysing the processing activities in question. This is partially the result of a poor form design and a lack of training and guidance. Keep front of mind that the DPIA is on the things affecting the processing of personal data: people, process, technology.
None of the DPIAs reviewed contained any form of data flow or process flow diagram. The Outsourced DPO’s very first starting point when conducting a DPIA is to draw out the process flow and data flows because out of this very obviously reveals the areas of focus and risk to focus the DPIA on including use of processors, purposes of processing, security of transmission, data back-up etc. Draw out the data and process flows.
4 Risk identification
The purpose of performing a DPIA is to identify risk to privacy or of non-compliance with data protection law through data processing activities/operations. The risks identified in the reviewed DPIAs were very superficial – for example “risk of data breach: likelihood = low, impact = low”. The location of the risk matrix on most DPIA forms is at the back – page 15 or so and speaking with project managers, they feel drowned by the bureaucracy by the time they get to risk identification. They also are not the best person to go through the risk identification process anyway as they are often too close to and have too much confidence in the project in question to objectively critically identify and appraise risks. Make sure you have an effective methodology for identifying risks at a granular level.
5 Detail, detail, detail
The Outsourced DPO has undertaken many DPIAs for customers over the past decade including some highly technical uses of emerging digital media and communications technologies. It is often the case that no one single person understands how data are being collected, created, augmented, profiled, transmitted, stored, retained, erased etc. – but this is absolutely critical to understand in order to realistically assess where the weak points are in the data processing activities. You need to be like a broken record repeating requests for information and drilling ever deeper into detail where required. If you cannot fully understand exactly what is going on in a project with regards to the processing operations applied to personal data – you can’t hope to do a thorough DPIA. Be dogmatic in obtaining sufficient detail.
6 Box-ticking exercise
A DPIA is not a compliance box-ticking exercise! Do not treat DPIAs as a box-ticking exercise. Embrace them as a valuable tool for reviewing and analysing data processing activities and for fostering a culture of privacy by design and by default.
7 Take your time
Understanding, analysing, and reviewing data processing operations is a time-consuming process usually taking several weeks of document review, and discussion. It cannot rushed. You need to ensure full co-operation of stakeholders and allow the DPIA run its course in its own time-scale. A rushed DPIA is likely to miss things. Don’t rush a DPIA.
The person(s) completing the DPIA must be competent. They need to understand privacy law and the project in hand. The DPO may not be the best person to complete a DPIA but nor might the project manager. A team-based approach might result in the most effective DPIAs. Get the right people engaged in the DPIA process.
9 Existing processes are not exempt
The ICO’s guidance is that DPIAs should be kept under review (step 9 of their suggested DPIA process) therefore processing that is subject to a DPIA should be re-tested periodically: a DPIA is not “for life”. Therefore it stands to reason that any processing that commenced before DPIAs became mandatory should also be subject to periodic review. Record on your records of processing activities which activities require a DPIA and create a rolling DPIA review program.