DPIAs

Contents

In brief: the importance of DPIAs

DPIAs require organisations to consider risks to people’s rights and freedoms, including the potential for any significant social or economic disadvantage. They provide an opportunity to assess whether processing will lead to fair outcomes and take steps to mitigate data protection risks.

A DPIA is a foundational document for data protection compliance. It is also a powerful tool for understanding the benefits and risks of ADM. Organisations should involve their data protection officer (DPO) at the earliest possible stage of procurement and in developing a DPIA. When developing a DPIA, they should include:

a systematic description of processing activities, including data flows and stages where AI processes personal information, including any solely automated decisions that may produce significant effects on people;
an explanation of any relevant variation or margins of error in the system’s performance which may affect the data protection law fairness principle; and
a description of the scope and context of the processing, including:
- the information processed;
- the number of people whose information is involved;
- the source of the information; and
- the extent to which people are likely to expect the processing.

Further reading

External guidance

Local Government Association guidance on responsibly buying AI ³⁶

Our findings about DPIAs

A DPIA is a tool that helps organisations assess the risks that their processing poses to people’s rights and freedoms, and identify ways to address those risks. Where processing is likely to result in a high risk to people’s rights and freedoms, organisations must carry out a DPIA. The DPIA must include details of the mitigations the organisations intends to put in place to manage these risks.

This includes if an organisation’s processing involves “a systematic and extensive evaluation of someone’s personal aspects which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.” ³⁷

The use of ADM in recruitment is therefore likely to be an activity that requires a DPIA to be conducted, and in any event we would consider it to be good practice to do so.

We found that some employers we engaged with had completed a DPIA. However, several employers had not identified that they needed a DPIA and had not completed one. We also discovered that DPIAs were not always sufficiently detailed, and some only had very basic information about ADM. This overlapped with the lack of clarity around meaningful human involvement (see above) and lawful basis (covered below).

Most DPIAs focused on the use of the third-party recruitment tool. They tended to include limited descriptions of:

how the tool worked;
what recruitment decisions it would be applied to; and
whether the outputs would be used to make or support these decisions.

This may suggest a level of knowledge asymmetry between developers and deployers that could be explored further.

Several of the DPIAs were significantly outdated and contained inaccurate or vague information about processing. Others were incomplete and had significant gaps, especially about technical and organisational measures for instituting safeguards. Some included minimal commentary, justification or analysis.

Risk assessments completed as part of a DPIA were inconsistent. Many employers had failed to complete the risk assessment section or had identified no risks. Most DPIAs with empty or incomplete risk assessments didn’t record any advice from or consultation with the DPO and had been signed off despite being incomplete.

Case study

An employer requires candidates to complete psychometric assessments through a third-party tool. The tool produces an overall grade for each candidate, which the employer uses to make automated decisions on who to offer an interview to.

The employer has completed a DPIA for the use of the tool. The information is largely limited to ‘yes’ or ‘no’ responses, with very little explanation or justification. There are also significant gaps and unanswered questions. These particularly concern international transfers and technical and organisational measures to secure personal information in the tool. The DPIA includes a risk assessment section at the end, but this hasn’t been fully completed, and no risks have been identified.

The DPIA also doesn’t record any comments or advice from the DPO, and it doesn’t appear that any internal stakeholders were consulted. Instead, a single member of the legal team produced, reviewed and approved the DPIA.

This is not compliant, because the employer hasn’t assessed the impacts of its processing.

We also saw examples of good practice. There were examples of DPIAs which clearly identified risks and explained how the employer put safeguards or mitigations into place. Some DPIAs also included detailed technical information from third-party tool providers.

Case study

An employer uses a chatbot to perform first-stage screening interviews with candidates. These are assessed using AI to produce an overall score and make automated decisions on who to offer an interview to.

The employer conducts a DPIA for the use of the tool. The DPIA includes a question asking whether the processing is ADM within the scope of article 22. The answer given reads ‘unsure’, with no further explanation or justification. The DPIA includes a risk assessment, which identifies:

one ‘very high’ risk;
two ‘high’ risks; and
an overall residual risk level of ‘very high’.

The employer does not implement any measures to mitigate the risks they have identified or consult us prior to this processing.

This is not compliant, because the employer hasn’t fully assessed the extent to which its processing is within the scope of the ADM provisions. It is also not compliant because although their DPIA has identified high risk processing, they have not implemented measures to mitigate these risks, not have they consulted with the ICO prior to processing.

Discussion

The absence of clear and complete DPIAs is a notable concern. To achieve efficiencies and drive innovation, employers must also meet their fundamental accountability obligations under data protection law.

In previous advice, ³⁸ we made it clear that the procurement process is an important stage. At this stage, employers can understand, address and mitigate any potential privacy risks or harms to people that may arise from acquiring an automated recruitment tool.

This is vital for accountability. Just as trust cannot be built between employers and people without transparency, it also cannot be built without accountability.

Expectations

Employers that are deploying automated recruitment tools should carefully assess whether to carry out a DPIA. Where the processing includes ADM, they need to carry out a DPIA.

Where employers have already carried out DPIAs concerning their use of automation in recruitment, we expect them to carefully review these to ensure they are appropriately assessing the risks of their processing.

³⁶ We worked with the Local Government Association to provide this guidance.

³⁷ Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation) (Text with EEA relevance)

³⁸ Thinking of using AI to assist recruitment? Our key data protection considerations