The DPIA in practice – balancing obligation with opportunity
Obligation Vs Opportunity
The ICO has recently issued detailed guidance on DPIAs (Data Protection Impact Assessments) during a consultation process. Included within the guidance is the list of processing operations required by art 35(4) for which it will require a DPIA to be carried out.
One of those operations is:
“Data matching: combining, comparing or matching personal data obtained from multiple sources.”
This presents all data controllers and processors with a conundrum:
- On the one side – the ICO requires a DPIA when combining data sets
- On the other side – how can you comply effectively with the GDPR without combining data sets in order to create a single view of data subject?
This makes it difficult to escape doing a DPIA in the first place (Obligation). Therefore, what does this mean for data controllers and processors and how can they take advantage of it? (Opportunity). It’s a delicate balancing act.
The devil in the DPIA requirement detail
To comply effectively with the GDPR you must at some point create a single view of your customers, which in turn requires matching across all of your data sets. This does not have to be a formal combination of data sets via a Master Data Management process but some kind of matching will still need to be performed across data sets.
Well how else will you be compliant with a request for erasure for example?
You can decide to do this matching in a manual or automated fashion but either way it is still ‘processing’ within the meaning of GDPR:
“… any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means…” (art 4(2)).
In addition, the fact that this processing is in response to the exercise of a right under GDPR, does not avoid any compliance obligations – legal basis, purpose, retention, appropriate measures all still need to be considered and documented.
This being the case, for any organization where personal data is stored in more than one place, if you choose to do it manually as a one-off exercise you would lose the benefits a single data set would offer, but a DPIA would still be required. In fact, the DPIA may be made more complex by having to deal with different manual matching processes between different data sets.
The obligation to consult individuals affected by relevant processing is an opportunity
Consultation isn’t necessary if you can demonstrate a good reason not to consult, such as it would compromise commercial confidentiality, undermine security, or be disproportionate or impracticable, and so needs to be carried out in most cases. However, given that you can depart from views expressed in the consultation, (provided the reasons for so doing are documented), why else might you choose to carry out a DPIA?
A proportionate piece of market research to understand what customers would reasonably expect you to do with their data could offer great insight and identify new avenues for processing to drive additional revenue.
Understanding what customers reasonably expect their data to be used for may also go a long way to establishing legitimate interest as a legal basis for processing.
Taking advantage of the DPIA process
The ICO has always promoted DPIAs (and their predecessor PIAs) as vehicles for compliance. So why would you not do one that is proportionate for your organization? If you don’t, you’re immediately on the back foot and having to re-invent the wheel in terms of how compliance can be demonstrated.
One final note is that this list of processing operations that can vary between member states, and it is different to the art 29 Guidance that has been issued by the European Working Party. Care may need to be taken as to when a DPIA is technically required, however the impact of this may be minimal if there is widespread adoption of DPIAs as vehicles for demonstrating compliance.
So what next?
There are several different ways to go ahead with a DPIA itself. You could use the ICO’s guidelines and templates and undertake them yourself. You could work with an expert organisation – like Entity Group – to have them undertake a DPIA for you and update them as part of an ongoing service. We will be able to advise you on how and when to undertake a DPIA as part of your GDPR compliance process.
Or, if you already use a data matching system such as MDM then you could come to us to have a standard MDM assessment performed which we can help you manage via governance workflows.