< Back

Share |

Data Protection Impact Assessments Checklist

June 2017

Under the GDPR, data protection impact assessments (DPIAs) are mandatory where the processing poses a high risk to the rights and freedoms of individuals. While they can also be carried out in other situations, organisations need to be able to evaluate when a DPIA is required.

This checklist helps you make that assessment and provides a springboard for some of the issues you will need to consider in more detail if you do need to carry out a DPIA.

Do you need to carry out a DPIA?

  • What is the objective/intended outcome of the project?
  • Is it a significant piece of work affecting how services/operations are currently provided?
  • Who is the audience or who will be affected by the project?
  • Will the project involve the collection of new information about people? (e.g. new identifiers or behavioural information relating to individuals?)
  • Will the project involve combining anonymised data sources in a way that may give rise to a risk that individuals could be identified?
  • Will the project involve combining datasets originating from different processing operations or data controllers in a way which would exceed the reasonable expectations of the individuals?
  • Is data being processed on a large scale?
  • Will the project compel individuals to provide information about themselves?
  • Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information?
  • Will personal information be transferred outside the EEA?
  • Is information about individuals to be used for a purpose it is not currently used for, or in a way it is not currently used?
  • Will information about children under 16 or other vulnerable persons be collected or otherwise processed?
  • Will new technology be used which might be seen as privacy intrusive? (e.g. tracking, surveillance, observation or monitoring software, capture of image, video or audio or location)
  • Is monitoring or tracking or profiling of individuals taking place?
  • Is data being used for automated decision making with legal or similar significant effect?
  • Is data being used for evaluation or scoring? (e.g. performance at work, economic situation, health, interests or behaviour)
  • Is sensitive data being collected including:
    • Race
    • Ethnic origin
    • Political opinions
    • Religious or philosophical beliefs
    • Trade union membership
    • Genetic data
    • Biometric data (including facial recognition)
    • Finger or palm print data
    • Health data
    • Data about sex life or sexual orientation?
  • Will the processing itself prevent data subjects from exercising a right or using a service or contract?
  • Is the information about individuals of a kind likely to raise privacy concerns or is it information people would consider to be particularly private or confidential?
  • Will the project require contact to be made with individuals in ways they may find intrusive?

Other issues to consider when carrying out a DPIA

In addition to considering the above issues in greater detail, when conducting a DPIA, you will also need to look at issues including:

  • The lawful grounds for processing and the capture of consent where appropriate
  • The purposes the data will be used for, how this will be communicated to the data subjects and the lawful grounds for processing
  • Who the data will be disclosed to
  • Where the data will be hosted and its geographical journey (including how data subjects will be kept informed about this)
  • The internal process for risk assessment
  • Who needs to be consulted (DPO, data subjects, regulator)
  • Data minimisation (including whether data can be anonymised)
  • How accuracy of data will be maintained
  • How long the data will be retained and what the processes are for deletion of data
  • Data storage measures
  • Data security measures including what is appropriate relative to risk and whether measures such as encryption or pseudonymisation can be used to reduce risk
  • Opportunities for data subject to exercise their rights
  • What staff training is being undertaken to help minimise risk
  • The technical and organisational measures used to reduce risk (including allowing different levels of access to data and red flagging unusual behaviour or incidents)

For more on the latest draft guidance from the Article 29 Working Party on carrying out DPIAs, see our article.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.