Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

ICO updates data protection impact assessment guide

UK guidance that sets out when organisations need to carry out data protection impact assessments (DPIAs) has been updated.21 Dec 2018

The revised guidance, published by the Information Commissioner's Office (ICO), contains changes in response to recommendations issued by an EU-wide data protection watchdog.

In October, the European Data Protection Board (EDPB) called on the ICO to update its DPIA guidance after finding the ICO had been too strict with some of its examples of when DPIAs need to be conducted.

Data protection, or privacy, impact assessments are used by organisations to identify, understand and address any privacy issues that might arise when developing new products and services or undertaking any other new activities that involve the processing of personal data.

The General Data Protection Regulation (GDPR), which took effect from 25 May, mandates organisations to conduct DPIAs in specified circumstances.

Organisations are be obliged to carry out DPIAs if their planned processing involves: "a systematic and extensive evaluation" of personal aspects based on automated processing, including profiling, resulting in decisions that significantly affect individuals; large scale processing of sensitive data or data on criminal convictions/offences; or systematic large scale monitoring of a publicly accessible area, such as through the use of CCTV.

The GDPR also requires DPIAs to be undertaken if planned data processing activities are otherwise "likely to result in a high risk to the rights and freedoms of natural persons". 

A number of data protection authorities across the EU have issued a list outlining its expectations on when businesses should carry out DPIAs.

In its initial guidance the ICO said that a DPIA would need to be carried out where organisations plan to process biometric, genetic or location data, but the EDPB said that was not the case under the GDPR. It said the processing of biometric, genetic or location data on its own is "not necessarily likely to represent a high risk". The EDPB said the duty to carry out a DPIA is only definitely triggered in those cases if "at least one other criterion", highlighted as a 'high risk' factor in guidance on DPIAs that the EDPB has endorsed, applies to the intended processing activities. That guidance was developed by the Article 29 Working Party, the predecessor to the EDPB, and adopted by the EDPB in May.

The ICO's updated guidance reflects the EDPB's views. It has added wording to confirm that the planned processing of biometric or genetic data only triggers the requirement for a DPIA where "any of the criteria in the European guidelines" also applies.

The ICO has confirmed that such combination of risk factors is also needed to trigger the DPIA requirement where organisations want to track individuals' location or behaviour.

The guide has also been updated to confirm that the planned use of innovative technology will trigger the need for a DPIA only where "any of the criteria in the European guidelines" also applies.

Ireland's Data Protection Commission (DPC) also recently published its DPIA guidance. Unlike the ICO, the DPC has set out examples where the duty carry out a DPIA does not apply. Examples it gave include if the processing has already been "authorised" by a "supervisory authority", or if the type of processing was "previously found not to be at risk by DPIA".