Why is this important?
The need to identify, assess and manage privacy risks is an integral part of accountability. Understanding the risks of the way you use personal data specifically is central to creating an appropriate and proportionate privacy management framework. A DPIA is a key risk management tool, and an important part of integrating ‘data protection by design and by default’ across your organisation. It helps you to identify, record and minimise the data protection risks of projects. DPIAs are mandatory in some cases and there are specific legal requirements for content and process. If you cannot mitigate a high risk, you must have a process for reporting this to the ICO.
At a glance – what we expect from you
- Identifying, recording and managing risks
- Data protection by design and by default
- DPIA policy and procedures
- DPIA content
- DPIA risk mitigation and review
Identifying, recording and managing risks
Your organisation has appropriate policies, procedures and measures to identify, record and manage information risks.
Ways to meet our expectations:
- An information risk policy (either a separate document or part of a wider corporate risk policy) sets out how your organisation and its data processors manage information risk, and how you monitor compliance with the information risk policy.
- You have a process to help staff report and escalate information governance or data protection concerns and risks to a central point, for example staff forums.
- You identify and manage information risks in an appropriate risk register, which includes clear links between corporate and departmental risk registers and the risk assessment of information assets.
- You have formal procedures to identify, record and manage risks associated with information assets in an information asset register.
- If you identify information risks, you have appropriate action plans, progress reports and a consideration of the lessons learnt to avoid future risk.
- You put measures in place to mitigate the risks identified within risk categories, and you test these regularly to make sure that they remain effective.
Have you considered the effectiveness of your accountability measures?
- Do staff know how to report and escalate concerns and risks?
- Could staff explain the links between the information risk register, the risk assessment of information assets, departmental risk registers and the corporate risk register?
Data protection by design and by default
You take a data protection by design and by default approach to managing risks, and, as appropriate, you build DPIA requirements into policies and procedures.
Ways to meet our expectations:
- You reference DPIA requirements in all risk, project and change management policies and procedures, with links to DPIA policies and procedures.
- Your procedures state that, if required, a DPIA should begin at the project's outset, before processing starts, and that the DPIA must run alongside the planning and development process.
- You anticipate risks and privacy-invasive events before they occur, making sure that at the initial design phase of any system, product or process and throughout, you consider the:
- intended processing activities;
- risks that these may pose to the rights and freedoms of individuals; and
- possible measures available to mitigate the risks.
Have you considered the effectiveness of your accountability measures?
- Would staff working on personal data processing projects be able to explain how they manage the risks as part of the project?
DPIA policy and procedures
You understand whether a DPIA is required, or where it would be good practice to complete one. There is a clear DPIA policy and procedure.
Ways to meet our expectations:
- You have a DPIA policy which includes:
- clear procedures to decide whether you conduct a DPIA;
- what the DPIA should cover;
- who will authorise it; and
- how you will incorporate it into the overall planning.
- You have a screening checklist to consider if you need a DPIA, including all the relevant considerations on the scope, type and manner of the proposed processing.
- If the screening checklist indicates that you do not need a DPIA, you document this.
- Your procedure includes the requirement to seek advice from the DPO and other internal staff as appropriate.
- Your procedure includes consultation with controllers, data processors, individuals, their representatives and any other relevant stakeholders as appropriate.
- Staff training includes the need to consider a DPIA at the early stages of any plan involving personal data and, where relevant, you train staff in how to carry out a DPIA.
- You assign responsibility for completing DPIAs to a member of staff, who has enough authority over a project to effect change, eg a project lead or manager.
Have you considered the effectiveness of your accountability measures?
- Are your policies and procedures easy to locate?
- Are staff aware of the process?
- Do they consider it effective?
- Have they had adequate training?
- Are DPIAs conducted by those with appropriate authority to effect change?
DPIA content
DPIAs always include the appropriate information and are comprehensively documented.
Ways to meet our expectations:
- Your organisation has a standard, well-structured DPIA template which is written in plain English.
- DPIAs:
- include the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.
- DPIAs clearly set out the relationships and data flows between controllers, processors, data subjects and systems.
- DPIAs identify measures that eliminate, mitigate or reduce high risks.
- You have a documented process, with appropriate document controls, that you review periodically to ensure it remains up to date.
- You record your DPO’s advice and recommendations and the details of any other consultations.
- Appropriate people sign off DPIAs, such as a project lead or senior manager.
Have you considered the effectiveness of your accountability measures?
- Do staff use the DPIA template and find it easy to understand?
- Is the process effective?
- Is the DPO satisfied that their advice is taken into account?
- Are they satisfied with any consultation that has taken place and how that you reflect any feedback in the outcome?
DPIA risk mitigation and review
You take appropriate and effective action to mitigate or manage any risks a DPIA identifies, and you have a DPIA review process.
Ways to meet our expectations:
- You have a procedure to consult the ICO if you cannot mitigate residual high risks.
- You integrate outcomes from DPIAs into relevant work plans, project action plans and risk registers.
- You do not start high risk processing until mitigating measures are in place following the DPIA.
- You have a procedure to communicate the outcomes of DPIAs to appropriate stakeholders, eg through a formal summarised report.
- You consider actively publishing DPIAs where possible, removing sensitive details if necessary.
- You agree and document a schedule for reviewing the DPIA regularly or when the nature, scope, context or purposes of the processing changes.
Have you considered the effectiveness of your accountability measures?
- Do staff understand when to consult the ICO?
- Do you effectively integrate outcomes from DPIAs into projects?
- Are appropriate stakeholders aware of the outcomes of DPIAs?
Further reading
ICO guidance:
- Data protection impact assessments
- Data protection by design and by default
- ICO template: DPIA template
External guidance:
- The National Archives: Information Assurance
- The National Archives: Managing information risks
- National Cyber Security Centre: 10 Steps to Cyber Security – Risk Management Regime