Data Protection Impact Assessments Drop-in advice session Charter 4 Data Protection Practitioners’ Conference 2018 #DPPC2018
Tell us what you think Go to slido.com/#DPPC2018/DPIA #DPPC2018 Data Protection Practitioners’ Conference 2018 #DPPC2018
Data Protection Impact Assessments What are they & when are they required? Data Protection Practitioners’ Conference 2018 #DPPC2018
DPIA Awareness checklist DPIA Screening checklist Guide to the GDPR DPIA Awareness checklist DPIA Screening checklist DPIA Process checklist Data Protection Practitioners’ Conference 2018 #DPPC2018
DPIA consultation- closes Friday Tell us your thoughts @ ico.org.uk Data Protection Practitioners’ Conference 2018 #DPPC2018
#DPPC2018 A process for building and demonstrating compliance Can be used for; a single processing operation, a group of similar operations and evaluating the impact of a technology product. Data Protection Practitioners’ Conference 2018 #DPPC2018
#DPPC2018 Assess the impact of envisaged processing Describe processing Necessity/proportionality Assess level of risk Identify measures to address risk Data Protection Practitioners’ Conference 2018 #DPPC2018
#DPPC2018 Data Protection Practitioners’ Conference 2018 1: Identify need for a DPIA 2: Describe the processing 3: Consider consultation 4: Assess necessity and proportionality 5: Identify and assess risks 6: Identify measures to mitigate risk 7: Sign off and record outcomes 8: Integrate outcomes into plan 9: Keep under review Data Protection Practitioners’ Conference 2018 #DPPC2018
Article 35 Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Data Protection Practitioners’ Conference 2018 #DPPC2018
Article 35 Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Data Protection Practitioners’ Conference 2018 #DPPC2018
Article 35 Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. Data Protection Practitioners’ Conference 2018 #DPPC2018
Part 3 – Law enforcement purposes Clause 64(1) – DP Bill Part 3 – Law enforcement purposes Where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, the controller must, prior to the processing, carry out a data protection impact assessment. Data Protection Practitioners’ Conference 2018 #DPPC2018
Recital 77 “The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data…”. Data Protection Practitioners’ Conference 2018 #DPPC2018
Article 35(4) Article 35(3) New Technologies Profiling/SPD access to services Profile individuals (large scale) Biometric data Genetic data Match/combine datasets Invisible processing Track location/behaviour Profile children/vulnerable Data which may endanger subjects in case of a breach Article 35(3) Systematic, extensive evaluation (ADM/profiling Large scale Art 9/10 processing Large scale monitoring, publically accessible area
ICO proposed list #DPPC2018 New technologies Denial of service Large-scale profiling Biometric data Genetic data Risk of physical harm Data matching Invisible processing Tracking Targeting of children/vulnerable individuals Data Protection Practitioners’ Conference 2018 #DPPC2018
1, New Technologies #DPPC2018 Processing involving the use of new technologies, or the novel application of existing technologies (including AI). Data Protection Practitioners’ Conference 2018 #DPPC2018
2, Denial of service #DPPC2018 Decisions about an individual’s access to a product, service, opportunity or benefit which is based to any extent on automated decision-making (including profiling) or involves the processing of special category data. Data Protection Practitioners’ Conference 2018 #DPPC2018
3, Large-scale profiling Any profiling of individuals on a large scale. Data Protection Practitioners’ Conference 2018 #DPPC2018
What does large scale mean? You should consider: Number of individuals Geographical extent Volume of data Variety of data Duration of the processing Data Protection Practitioners’ Conference 2018 #DPPC2018
#DPPC2018 Tracking individuals using a city’s public transport system Data Protection Practitioners’ Conference 2018 #DPPC2018
A hospital processing patient data (not an individual clinician) Data Protection Practitioners’ Conference 2018 #DPPC2018
Want to ask us a question? Go to slido.com/#DPPC2018/DPIA Data Protection Practitioners’ Conference 2018 #DPPC2018
4, Biometrics #DPPC2018 Any processing of biometric data. Data Protection Practitioners’ Conference 2018 #DPPC2018
5, Genetic data Any processing of genetic data other than that processed by an individual GP or health professional, for the provision of health care direct to the data subject. Data Protection Practitioners’ Conference 2018 #DPPC2018
6, Data matching Combining, comparing or matching personal data obtained from multiple sources. Data Protection Practitioners’ Conference 2018 #DPPC2018
7, Invisible processing #DPPC2018 Processing of personal data that has not been obtained direct from the data subject in circumstances where the controller considers that compliance with Article 14 would prove impossible or involve disproportionate effort. Data Protection Practitioners’ Conference 2018 #DPPC2018
8, Tracking Processing which involves tracking an individual’s geolocation or behaviour, including but not limited to the online environment. Data Protection Practitioners’ Conference 2018 #DPPC2018
9, Targeting of children or other vulnerable individuals The use of the personal data of children or other vulnerable individuals for marketing purposes, profiling or other automated decision-making, or if you intend to offer online services directly to children. Data Protection Practitioners’ Conference 2018 #DPPC2018
10, Risk of physical harm #DPPC2018 Where the processing is of such a nature that a personal data breach could jeopardise the [physical] health or safety of individuals. Data Protection Practitioners’ Conference 2018 #DPPC2018
Data Protection Practitioners’ Conference 2018 #DPPC2018
DPIA consultation- closes Friday Tell us your thoughts @ ico.org.uk Data Protection Practitioners’ Conference 2018 #DPPC2018
Guide to the GDPR DPIA Awareness checklist DPIA Screening checklist DPIA Process checklist Data Protection Practitioners’ Conference 2018 #DPPC2018