Organisations intending to use new technologies that involve the processing of personal data will be expected to carry out data protection impact assessments (DPIAs) before deploying those technologies under the new General Data Protection Regulation (GDPR), according to the Information Commissioner's Office (ICO).
In draft new guidance (44-page / 413KB PDF) the ICO confirmed that where the DPIA reveals that the planned data processing activities present a high risk to individuals’ interests, and businesses cannot mitigate those risks, they will be obliged to consult with the ICO before proceeding with the data processing.
In those circumstances, the ICO could take up to 14 weeks to provide a response to the business, according to the draft guidance. The watchdog said that, in some cases, it could stop businesses proceeding with the planned data processing.
The ICO said: "If you have carried out a DPIA that identifies a high risk, and you cannot take any measures to reduce this risk, you need to consult the ICO. You cannot go ahead with the processing until you have done so."
"We will provide you with a written response advising you whether the risks are acceptable, or whether you need to take further action. In some cases we may advise you not to carry out the processing because we consider it would be in breach of the GDPR. In appropriate cases we may issue a formal warning or take action to ban the processing altogether," it said.
Currently, organisations are not obliged to conduct data protection impact assessments under the UK's Data Protection Act, although the ICO has advocated their use as 'best practice' for organisations and previously issued guidance on how organisations can get the most from such assessments.
However, many organisations will be obliged to carry out DPIAs under the GDPR, which will begin to apply from 25 May this year.
The new draft guidance, which is open to consultation until 13 April, refers to a range of scenarios in which the ICO said it will expect businesses to carry out a DPIA under the GDPR. The planned use of new technologies is just one of the examples it has listed. Organisations that wish to track individuals’ location or behaviour, process biometric data, or engage in certain customer profiling will also be expected to conduct a DPIA, according to the ICO's list.
The ICO's draft guidance refers to the fact that the GDPR requires DPIAs to be undertaken if planned data processing activities are otherwise "likely to result in a high risk to the rights and freedoms of natural persons".
Organisations will also be obliged to carry out DPIAs if their planned processing involves: "a systematic and extensive evaluation" of personal aspects based on automated processing, including profiling, resulting in decisions that significantly affect individuals; large scale processing of sensitive data or data on criminal convictions/offences; or systematic large scale monitoring of a publicly accessible area, such as through the use of CCTV.
Data protection law expert Laura Gillespie of Pinsent Masons, the law firm behind Out-Law.com, said: "With just two months to go until GDPR becomes law, businesses should be urgently reviewing procedures to ensure that where necessary, DPIAs are carried out or in place. Of course, businesses also need to be complying with the accountability principle whereby they should be able to demonstrate how they have complied with the principles; documenting key decisions for GDPR is essential as part of the overall compliance programme."
The ICO explained that businesses may be able to re-use DPIAs they have previously undertaken in some cases, or those produced by third parties, or in partnership with other organisations, under the new framework.
"A DPIA can cover a single processing operation, or a group of similar processing operations," the ICO said. "You may even be able to rely on an existing DPIA if it covered a similar processing operation with similar risks. A group of controllers can also do a joint DPIA for a group project or industry-wide initiative. For new technologies, you may be able to use a DPIA done by the product developer to inform your own DPIA on your implementation plans."
"You can use an effective DPIA throughout the development and implementation of a project or proposal, embedded into existing project management or other organisational processes," it said.
The watchdog warned businesses that a DPIA should not be viewed as "a one-off exercise to file away". Instead, a DPIA is "a ‘living’ process to help you manage and review the risks of the processing and the measures you’ve put in place on an ongoing basis", it said.
Businesses were urged to keep DPIAs under review and reassess them if things change, such as if they make "significant changes to how or why [they] process personal data" arise, or increase the amount of data they gather. External changes should also be factored in, the ICO said.
"An external change to the wider context of the processing should also prompt you to review your DPIA," it said. "For example, if a new security flaw is identified, new technology is made available, or a new public concern is raised over the type of processing you do or the vulnerability of a particular group of data subjects."
In its draft guidance, the ICO made reference to existing GDPR guidance that a group of EU data protection authorities has already produced on DPIAs. The ICO is a member of the Article 29 Working Party that produced that earlier guidance.
A raft of other GDPR guidance has previously been published by the ICO or Working Party, including on the topics of consent and data breach notification.