1. Data Privacy Impact Assessment (DPIA)
A Data Privacy Impact Assessment (DPIA) is a process to help identify and minimise the data protection risks of a project before committing to it. In the case of systems installed prior to instructing VeriFi, the scope of the DPIA is limited to data capture and processing equipment together with associated record keeping. It is assumed that the Data Controller has previously completed any required pre-installation consultation with affected parties and reviewed alternative potential solutions with due regard to the following;
A Data Controller must conduct or commission a DPIA for processing that is likely to result in a high risk to individuals.
In particular, data protection legislation says you must do a DPIA if you plan to carry out:-
- Systematic & extensive profiling
- Large scale use of sensitive data
- Public monitoring
- Innovative technology
- Denial of service
- Data matching
- Invisible processing
- Targeting children / vulnerable adults
- Risk of harm
- Special category / criminal offence data
- Automated decision-making
- Other (please specify)
Typically a DPIA will include what you plan to do with the personal data, it should include the following information:
- how you collect the data;
- how you store the data;
- how you use the data;
- who has access to the data;
- who you share the data with;
- whether you use any processors;
- retention periods;
- security measures;
- whether you are using any new technologies;
- whether you are using any novel types of processing; and
- which screening criteria you flagged as likely high risk.
The scope of the processing is what the processing covers. This should include, for example:
- the nature of the personal data;
- the volume and variety of the personal data;
- the sensitivity of the personal data;
- the extent and frequency of the processing;
- the duration of the processing;
- the number of data subjects involved; and
- the geographical area covered.
The context of the processing is the wider picture, including internal and external factors which might affect expectations or impact. This might include, for example:
- the source of the data;
- the nature of your relationship with the individuals;
- how far individuals have control over their data;
- how far individuals are likely to expect the processing;
- whether these individuals include children or other vulnerable people;
- any previous experience of this type of processing;
- any relevant advances in technology or security;
- any current issues of public concern;
- in due course, whether you comply with any GDPR codes of conduct (once any have been approved under Article 40) or GDPR certification schemes;and
- whether you have considered and complied with relevant codes of practice.
The purpose of the processing is the reason why you want to process the personal data. This should include:
- your legitimate interests, where relevant;
- the intended outcome for individuals; and
- the expected benefits for you or for society as a whole.
Do we need to consult individuals?
You should seek and document the views of individuals (or their representatives) unless there is a good reason not to.
In most cases it should be possible to consult individuals in some form. However, if you decide this is not appropriate, you should record this decision as part of your DPIA, with a clear explanation. For example, you may be able to demonstrate that consultation would compromise commercial confidentiality, undermine security, or be disproportionate or impracticable.
If the DPIA covers the processing of personal data of existing contacts (for example, existing customers or employees), you should design a consultation process to seek the views of those particular individuals, or their representatives.
If the DPIA covers a plan to collect the personal data of individuals you have not yet identified, you may need to carry out a more general public- consultation process, or targeted research. This could take the form of market research with a certain demographic or contacting relevant campaign or consumer groups for their views.
If your DPIA decision differs from the views of individuals, you need to document your reasons for disregarding their views.