At the moment, many businesses are thinking about how they can adopt new technology to improve their efficiency and profit margins, and the use of AI has become somewhat of a divisive subject.
One such reason is that if that new technology involves the use of personal data, then the GDPR (now known as the UK GDPR since Brexit) comes into the spotlight. Under data protection legislation, whenever you are thinking about adopting new technology or introducing a new process, or changing the way you do things, you should also think about whether you need to carry out a data protection impact assessment (“DPIA”).
So what is a DPIA, why do you need to think about it and are there any top tips?
A DPIA, even if not mandatory – there are some situations where you are required to carry out a DPIA by law – can help you comply with obligations under UK GDPR.
A DPIA is essentially a risk assessment, enabling you to:
- Consider what you want to do
- Identify what the risks might be to personal data or the rights of individuals
- Help you work out whether you can reduce the potential risk to individuals
- Understand the “resulting risk” to individuals once you have put in place your risk mitigations.
If your DPIA shows that, having put in place all reasonable measures to reduce the risk, were you to proceed with your new proposed activity there would likely be a “high risk” of harm to individuals – and this is broadly interpreted – then you cannot proceed without first having consulted with the ICO.
Follow this process and it is not only good practice, but it can also help you to demonstrate how you are meeting your legal obligations in adopting a “privacy by design and by default” approach and stop you from getting into trouble with the ICO and others for unlawful processing of personal data.
Let me leave you with three top tips:
- Embedding DPIAs into your normal processes when considering adopting new technology or bringing in new procedures that touch upon personal data will help create a culture of “privacy by design and default” helping you to demonstrate your legal compliance, and highlight how your business works and what the challenges and opportunities are. In other words, DPIAs can generally be useful as “check points” during times of change
- Train your staff in how to conduct DPIAs and create the culture whereby DPIAs are seen as a “team effort” and there are no “bad consequences” if you, for the right reasons, speak up
- Reach out for support – take advantage of the ICO website – it has sector-specific advice, including on DPIAs!
Related articles
Article
15 November 2024
9 minute read
Meet the team: Tracy Lake, Partner in Commercial – from in-house to private practice
Read more
Article
8 November 2024
4 minute read
NHS processor faces £6m ICO fine for data breach after ransomware attack
Read more
Article
30 October 2024
7 minute read
Rethinking leadership in LLPs: why technical excellence isn’t enough
Read more
News
29 October 2024
4 minute read
Award-winning cloud and AI specialist joins HCR Law’s Commercial team
Read more
Article
29 October 2024
4 minute read
Football Governance Bill reintroduced under the new Labour government
Read more
