Data Protection Impact Assessment

View the related practice notes about Data Protection Impact Assessment

Online behavioural advertising

Online behavioural advertisingThis Practice Note analyses the following commercial and legal issues relating to online behavioural advertising (OBA), targeted advertising, profiling and automated decision-making:•What is online behavioural advertising?•Terminology and contractual models•Technology behind behavioural advertising•UK GDPR and online behavioural advertising•General profiling and decision making based on profiling•Solely automated decision-making, including profiling•Data protection impact assessments•PECR 2003•Interplay between PECR 2003 and the UK GDPR•Government and regulatory scrutiny of online behavioural advertising•ePrivacy Regulation•CAP Code•EASA CodeAlthough many laws are relevant in this context, the primary consideration is data protection. This note addresses the position under the United Kingdom General Data Protection Regulation, Retained Regulation (EU) 2016/679 (the UK GDPR): the UK version of the EU’s GDPR incorporated into domestic law following the end of the Brexit implementation period.The introduction of the EU GDPR in 2018 had a significant impact on OBA in comparison to the previous data protection regime due to stricter limitations on the processing of personal data and greatly increased fines for non-compliance. One study found that there had been a 22% drop in the number of cookies placed by news websites without the user’s consent since implementation. Advertising and marketing cookies specifically were down 14%.For more information on the UK and EU GDPR regimes from a general perspective, see Practice Note: Introduction to

Completing a DPIA on surveillance cameras

Completing a DPIA on surveillance camerasThis Practice Note is aimed at in-house lawyers, privacy and compliance professionals in private commercial organisations. It explains why, when and how to complete a data protection impact assessment (DPIA) on a new or existing surveillance camera or CCTV project or system. It will take you through the key points of a DPIA, based on a template and guidance produced by the Surveillance Camera Commissioner (SCC) and ICO, and takes into account the requirements of the UK General Data Protection Regulation (UK GDPR), Retained Regulation (EU) 2016/679.A DPIA does what the name suggests—it’s a way of assessing the data protection impact of a particular project or process on any affected individuals. Generally, a DPIA is conducted at the start of a project which could have data protection or privacy implications, eg rolling out a new document management or HR system. Done properly, the DPIA will enable you to:•systematically and thoroughly analyse how the project will affect individuals’ privacy, and•ensure privacy risks are minimised while allowing the aims of the project to be met whenever possibleFor more information on the use and regulation of surveillance cameras by public bodies, see Practice Note: Surveillance powers of local councils—Surveillance cameras and CCTV systems.UK GDPR and DPA 2018The data protection regime applies to all personal data, which includes images of individuals

Data protection negotiation guide—controller: processor—data protection impact assessments (DPIAs)

Data protection negotiation guide—controller: processor—data protection impact assessments (DPIAs)This Practice Note forms part of the Data Protection Negotiation Guide (the Guide) and addresses the negotiation of provisions relating to data protection impact assessments (DPIAs) in agreements between controllers and processors subject to the UK General Data Protection Regulation, Retained Regulation (EU) 2016/679 (the UK GDPR).For an introduction to the Guide and related content, see Practice Note: Data protection negotiation guide—controller: processor—introduction.This Practice Note utilises a number of common abbreviations. They are separately defined within the above introduction.As explained in Practice Note: Data protection negotiation guide—controller: processor—introduction, the parties have commercial flexibility to allocate the costs and expenses of performing these obligations between themselves.Guidance from the EDPB on equivalent provisions of the EU GDPR is likely to remain highly influential in interpreting the UK GDPR and therefore this Practice Note refers to relevant EDPB guidance.Summary of mandatory contractual termsThe contract must require the processor to assist the controller in ensuring compliance with the controller’s obligations under Article 35 of the UK GDPR to carry out DPIAs, taking into account the nature of the processing and the information available to the processor.The ICO recommends that the contract is as clear as possible about how the processor will help the controller meet this obligation.For guidance on the circumstances in which a DPIA is required under the UK

How to prepare a data protection impact assessment—DPIA

How to prepare a data protection impact assessment—DPIAA data protection impact assessment (DPIA) does what the name suggests—it’s a way of assessing the data protection impact of a particular project or process on any affected individuals.This Practice Note explains:•what a DPIA is•whether you have to conduct DPIAs, and if so•who should conduct the assessment, and•howPrecedent: Data protection impact assessment—DPIA reflects the requirements of the UK GDPR. See also Precedent: Data protection impact assessment—DPIA—short form which is based on a template issued by the Information Commissioner’s Office (ICO).The ICO guidance on DPIAs can be found in two locations: Guide to the UK GDPR, Accountability and governance, Data protection impact assessments and Data Protection Impact Assessments (DPIAs).What is a data protection impact assessment?A DPIA is a tool that can help you:•identify and minimise the data protection risks of new projects, and•meet individuals’ expectations of privacyGenerally, a DPIA is conducted at the start of a project that could have data protection or privacy implications, eg rolling out a new document management or HR system. Done properly, the DPIA will enable you to:•systematically and thoroughly analyse how the project will affect individuals’ privacy, and•ensure privacy risks are minimised while allowing the aims of the project to be met whenever possibleIs it compulsory to conduct a DPIA?UK GDPR requirementsA DPIA is

Ten things you should have done in 2018—law firm compliance [Archived]

Ten things you should have done in 2018—law firm compliance [Archived]ARCHIVED: This Practice Note has been archived and is not maintained. For more information, see subtopic: What’s changed in Practice Compliance—overview.We’d like to say that 2018 was the calm before the storm, but no-one would buy that—it’s been more like the storm before the mega storm. GDPR, pricing transparency and insurance distribution were painful for most firms, but 2018 could seem like the sunlit uplands of a golden age come 2019, as we hurtle towards Brexit and a new SRA Handbook. So, perhaps now is a good time to ignore what comes and focus on what’s been, with our top ten list of things you should have done last year.1. Mapped and recorded your data flowsWe thought about putting GDPR as a single item in this list, but it soon became apparent that wasn’t going to work. So we’ve broken down the key things you should have done on GDPR, starting at the beginning with data mapping.If you don’t know what data you hold, what you do with it or why, you can’t possibly hope to comply with the GDPR. It’s therefore not surprising that the information Commissioner’s Office (ICO) said that ‘a good way to start is by doing an information audit or data mapping exercise to clarify what personal data your organisation

What’s new and what’s changed in 2018—Risk & Compliance [Archived]

What’s new and what’s changed in 2018—Risk & Compliance [Archived]ARCHIVED: This Practice Note has been archived and is not maintained. For more information, see subtopic: What’s changed in Risk & Compliance.This Practice Note keeps you informed, on a month-by-month basis, about amended existing content and newly published content in Risk & Compliance. This content may have been added or amended to reflect regulatory changes or as part of our ongoing content development.December 2018New or updated?ContentReasonNewForecast: Risk & Compliance forecast as at 17 December 2018Our new Risk & Compliance forecast (as at 17 December 2018) is now live. This month, we report on issues including (1) AML and CTF; (2) data protection and (3) Brexit. You can rest assured we are tracking forthcoming regulatory changes so you can plan ahead.NewSubtopic: Whistleblowing—Practice Note: Protection for whistleblowersPrecedents:—Policy and procedure—whistleblowing (short form)—Whistleblowing report form—Whistleblowing report register—Whistleblowing—annual review—Training materials—whistleblowingContent developmentNewPrecedent: Register of superSAR requests and responsesContent developmentNewPractice Note: Dealing with the Financial Conduct AuthorityContent developmentNewPrecedent: Data protection impact assessment—DPIA—short formContent developmentNewPrecedent: Automated processing enquiry formContent developmentNewPractice Note: Direct marketing risk management guideContent developmentUpdatedPrecedent: Data protection board reportUpdated to include new sections on Data Protection Impact Assessments and data security.UpdatedPractice Note: Working with European lawyers—the Registered European Lawyer (REL) regimeUpdated to reflect publication of draft Services of Lawyers and Lawyer’s Practice

View the related precedents about Data Protection Impact Assessment

Data protection impact assessment—consultation form

Data protection impact assessment—consultation form[Insert title of project]—[insert who you are consulting, eg Employee consultation][Insert name of company or firm]1Introduction[Provide a brief introduction to the project to which the consultation relates, to include as required:][—a brief introduction to your company or firm][—what you are consulting on]You are invited to take part in our consultation which is running for [insert number] weeks from [insert date] until [insert date].This consultation will provide you with the opportunity to comment on [insert].Your views are important to us. They will be used to help us decide [insert].2The project: [insert description] 2.1Project overview[Insert overview of the project]. For more information about the project, see Appendix 1 and/or ‘Find out more’ at 4.1.2.2Our work so far[Insert description of what you have done so far, including any other consultations.]3This consultation3.1What we are consulting on[Describe or list exactly what you are consulting on.]3.2What we are asking you to comment onFor this consultation we would like your views and comments on:3.2.1[insert first point]3.2.2[insert next point]3.2.3[insert next point]3.2.4[insert next point]Your feedback will be used to help us make an informed decision on [insert].4Get involvedOur consultation is open for [insert number] weeks from [insert date] until [insert date].4.1Find out moreThere are a number of ways you can find out

Data protection impact assessment—consultation feedback form

Data protection impact assessment—consultation feedback formIntroduction[Provide a brief introduction of the project to which the consultation relates, to include as required:][—a brief introduction to your organisation][—what you are consulting on]You are invited to take part in our consultation, which is running for [insert number] weeks from [insert date] until [insert date].This consultation will provide you with the opportunity to comment on [insert].Your views are important to us. Please use this form to provide feedback. Complete as many sections of this form as you would like and send it to: [insert]. We will also accept feedback by email, letter and phone (see Contact details below).[Alternatively go to our [website OR intranet OR at [insert], where you can submit feedback online.]We cannot respond to individual comments and questions we receive. We will address all the themes and issues raised when we announce the outcome of this consultation.Contact detailsIf you would like any information about the project or help completing this form, you can contact us by:—calling our [freephone] number [insert]—emailing us at [insert]—writing to us at [insert]—registering for text alerts—text [insert] to [insert]—following us on twitter @[insert][—[insert other]]1About youPlease provide the information requested belowFull nameAre you responding on behalf of an organisation?☐ Yes☐ NoIf yes, which organisation:[Insert]Your address[Insert your own address or, if you are responding on

Data protection impact assessment—DPIA—report

Data protection impact assessment—DPIA—report1Project overview[Insert an overview of the project, explaining why it necessary and how it will impact on privacy. Subject to commercial sensitivity, consider including an explanation or diagram setting out the proposed information flows.]2Summary of privacy risks and approved solutionsRiskApproved solutionApproved by[Insert description of a privacy risk][[Describe the solution that has been approved to eliminate or reduce this risk] OR Residual risk accepted and approved OR [State who has approved this solution][Insert description of a privacy risk][Describe the solution that has been approved to eliminate or reduce this risk] OR Residual risk accepted and approved OR [State who has approved this solution][Insert description of a privacy risk][Describe the solution that has been approved to eliminate or reduce this risk] OR Residual risk accepted and approved OR [State who has approved this solution][Insert description of a privacy risk][Describe the solution that has been approved to eliminate or reduce this risk] OR Residual risk accepted and approved OR [State who has approved this solution][Insert description of a privacy risk][Describe the solution that has been approved to eliminate or reduce this risk] OR Residual risk accepted and approved OR [State who has approved this

Privacy impact assessment—PIA—data sharing

Privacy impact assessment—PIA—data sharingPlease ensure that this Privacy impact assessment (PIA) is sufficient for your needs. You may need to carry out a full Data protection impact assessment (DPIA)—see [insert link to your organisation’s DPIA screening questions].1Background informationProject name[Insert a name for the project]Date of PIA[Insert the date the PIA is being completed]Name and email address of person responsible for the project and completing this PIA[Insert name and email address of the person completing the PIA, eg the project manager]2Describe the projectDescribe the data sharing project/activity and its intended purpose[Insert general description of the project, eg what you want to achieve by sharing personal data and why. You may find it helpful to refer or link to other documents, such as a project proposal]Could you achieve your project aims without sharing personal data?☐ Yes—if so, you should not share the personal data.☐ No—[explain why not.]Could you achieve your project aims by sharing less personal data?☐ Yes—if so, you should reduce the amount of personal data you intend to share.☐ No—[explain why not.]3Describe the dataDescribe the data you intend to share[Describe the data you intend to share, including:][—the classes of data subjects, eg customers or prospective customers, employees, suppliers, members of

Privacy impact assessment

Privacy impact assessmentPlease ensure that this Privacy impact assessment is sufficient for your needs—you may need to carry out a full Data protection impact assessment (DPIA)—see [insert link to your organisation’s DPIA screening questions].1Background informationProject name[Insert a name for the project]Date of privacy impact assessment (PIA) completion[Insert the date the PIA is being completed]Name and email address of person responsible for the project and completing this form[Insert name and email address of the person completing the PIA form—eg the project manager]2Describe the projectDescribe the project or activity and its intended purpose[Insert general description of the project, eg what you what you want to achieve and why. You may find it helpful to refer or link to other documents, such as a project proposal]Explain why you need to process personal data—could you achieve your project aims without the use of personal data?[Insert explanation, eg describe specifically what the project aims to achieve using personal data and/or why the project will not work without using personal data. Explain what steps you have taken to consider whether you actually need personal data or could use anonymised personal data instead, and your reasons for rejecting this approach, if necessary]3Describe the dataDescribe the data[Describe the

Personal data sharing agreement—independent controllers—one-way

Personal data sharing agreement—independent controllers—one-wayThis Agreement is made on [date]Parties1[insert name of disclosing party] [of OR a company incorporated in [England and Wales] under number [insert registered number] whose registered office is at] [insert address] (Disclosing Party), and2[insert name of receiving party] [of OR a company incorporated in [England and Wales] under number [insert registered number] whose registered office is at] [insert address] (Receiving Party),(each of the Disclosing Party and the Receiving Party being a party and together the Disclosing Party and the Receiving Party are the parties).Background(A)The parties have identified a requirement to share the Shared Data for the Permitted Purpose.(B)The parties have decided to create a framework for the [systematic OR ad-hoc OR one-off] sharing of the Shared Data, which is likely to require sharing of the Shared Personal Data.(C)The Disclosing Party considers that it may share the Shared Personal Data with the Receiving Party on the legal basis of the Permitted Lawful Basis.(D)[The parties have completed a data protection impact assessment in respect of the planned sharing of the Shared Personal Data under this Agreement, and have agreed that this Agreement will assist with mitigating certain risks that have been identified.](E)The parties’ objectives in sharing the Shared Personal Data, and the reasons why that is necessary, are set out at paragraphs

View the related q&as about Data Protection Impact Assessment

What is ‘invisible processing’ and does it require a data protection impact assessment to be carried out under the General Data Protection Regulation? What guidance on this is available?

What is ‘invisible processing’ and does it require a data protection impact assessment to be carried out under the General Data Protection Regulation? What guidance on this is available?What is ‘invisible processing’?‘Invisible processing’ is discussed by the Information Commissioner’s Office (ICO) in their detailed guidance on Data Protection Impact Assessments (DPIAs) as follows:‘“Invisible processing” occurs when you obtain personal data from somewhere other than directly from the individual themselves, and you don’t provide them with the privacy information required by Article 14. The processing is “invisible” because the individual is unaware that you are collecting and using their personal data, even if you publish a privacy notice on your website.This processing results in a risk to the individual’s interests as they cannot exercise any control over your use of their data. In particular, they are unable to use their data protection rights if they are unaware of the processing. This is true even if the processing itself is unlikely to have any negative effect.You may also be at risk of breaching the fairness and transparency requirements of the first data protection principle if the processing, or any outcome from it, may not be reasonably foreseen by the individual.For these reasons, processing in this way is only permitted by the GDPR in limited circumstances. These include where to provide the privacy information proves impossible or

Is a DPIA required where I am under a legal obligation to process personal data?

Is a DPIA required where I am under a legal obligation to process personal data?Practice Note: How to prepare a data protection impact assessment—DPIA sets out when a DPIA is required.DPIA requiredA DPIA is compulsory in the case of:•a systematic and extensive evaluation of personal aspects relating to natural persons, based on automated processing (including profiling) on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect them•processing on a large scale of sensitive (special category) personal data or personal data relating to criminal convictions and offences•systematic monitoring of a publicly accessible area on a large scaleWhere none of these apply, the General Data Protection Regulation (GDPR) requires a DPIA where processing operations, in particular using new technologies, are likely to result in a high risk to the rights and freedoms of individuals.The Information Commissioner’s Office (ICO) is required by Article 35(4) to publish a list of the kind of processing operations that are likely to be high risk and require a DPIA. The ICO has produced a list of a further ten types of processing that require a DPIA. The Article 29 Working Party (WP29) has published guidelines, which have been endorsed by the European Data Protection Board (EDPB), setting out nine criteria that may act as indicators of when processing is likely to