Data Protection Impact Assessments (DPIAs) have featured a lot in recent times and are, quite rightly, becoming a key and core part of the handling and protection of Personal Data.
However, why are they still meeting so many issues around implementation, use, understanding and even getting people to complete them at the appopriate time. Are we getting them right and staff are the problem, or are we missing the point of them and creating hard work for staff? Or is it both? Or neither! Who knows!!!
I recently held a webinar with around 45 delegates and explored some of these issues and shared some best practice advice. So what follows is a mixture of my own experience and advice and some really good key points from those who attended. My thanks to you all for what was, a really good discussion!
Fair warning, there is LOTS of content in here as I had a lot to say and so did those who attended. So please bare with with and hopefully it all proves as useful to you as it did those who came along and pitched in.
DPIAs in the ‘headlines’:
There have been a great number of cases where a DPIA done on something, earlier on, could have avoided that something turning into the collosal balls up that it became. From the Samaritans Radar app in 2014 to the Governments Track and Trace system in recent times, DPIAs are clearly important and growing in awareness and attention.
But what have the recent examples in the media taught us? Have they taught us that DPIAs are on the rise? Or have they shown, as we all suspect, that senior people (the Government in the very recent case) still see them as a ‘pointless waste of their time’? ‘Red tape’ to stop creativity or, in the Track and Trace system, to stop us ‘fighting a public health crisis’.
I could make a point about how the Government deliberately didn’t do one in order to frame the whole thing as Data Protection and the EU’s fault. But I won’t. I’ll behave and focus on the issue at hand. (But I wouldn’t put it past this utter shambles of a Government… #JustSaying).
I will also say, and thanks to Daragh O’brien and Katherine O’Keefe for this reference, the Irish Government (in contrast to our own) have been really good in their DPIA on Track and Trace. It is published, very clear and outlines some key commitments to data minimisation and security. Even if you disagree with their content, you can’t argue with their approach.
What is a DPIA?
Lets start with the basics. According to Article 35 of the General Data Protection Regulation (GDPR), a DPIA can be classified as such;
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likelt to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that may present similar high risks.EU General Data Protection Regulation, Article 35 (1)
Bearing that in mind, what does your DPIA questions or risk assessment focus on? Risks to the organisation, or risks to the individual? Did it start with risks to the individual but you’ve now done so many (and have so many more to do) that you jump straight to risks to the organisation because it’s just easier to articulate and manage it that way?
Be honest! Around the room many agreed with this point. Many of the questions and/or the risks focused on ‘compliance risks’ framed to be for the organisation. Not necessarily worded in terms of impact or likelyhood with the individual in mind as the primary concern.
We also discussed how it was difficult to not think in ‘organisational risk’ terms as a person within the organisation and a DPIA that needs to fit in with that organisations processes and wide risk management framework. The only way is to take our employee thinking hats off and put a ‘hat’ on of the Data Subject to view the processing through their lense. Their experience of the activity and exploring all possible experiences within that (I’ll explain more about that in a minute).
What follows are the 6 main areas of focus for the advice that we have collated from personal and group experience from our DPIA discussion. Not, the ‘be all and end all’, but hopefully some food for thought to make you keep your DPIA templates on their toes.
6 top tips for your DPIAS:
1. Who is filling it in? (And are you expecting them to speak French/Klingon/Old Valerian?)
Many standard DPIAs contain complex and legalistic questions that work brilliantly if your audience is a data protection lawyer (or me). Questions, which while perfectly relevant, are there for the benefit of the Data Protection ‘assessor’, not the poor unsuspecting soul trying to translate what they are doing (or want to do) into Data Protection language.
Many of the forms work on the assumption that A, the person completing it knows what they want to do and how they want to do it and B, they know why they are doing it or the legal power/obligation they are using to do it.
Around the room the general consensus was that many of their ‘DPIA completors’ had no idea. Either because they were not the person that should know that sort of information or they are doing a DPIA on an idea, so want advice on what powers they could or could not use and are being forced to create the answers for themselves (which is always dangerous).
Avoid complex forms. If your DPIA form is 30 pages of Data Protection geekery then I strongly suggest you go back to the drawing board. The business does not share our knowledge or level of geekery, therefore asking them to translate what they are doing into Data Protection terms will always be like pulling teeth. You can either carry on fighting that, or accept it and create something that works for your audience instead. Choice is yours, but I’d pick a better hill to die on if I was you. Short, sharp, simple and clear advice and guidance.
Train and support staff. There will be elements of your DPIA that, purely by their nature, are complicated. And while we can make it easier for the person filling it in, we’ve still got to support and train them. Therefore, work out who are the best people to train and give them training on Data Protection and the DPIA itself. That could include your project managers, IT project managers, Asset Owners etc. Think strategically, who can help you out with their completion and increasing staff understanding of them. The more you can train them to a decent standard, the more allies and help you’ll have in your organisation.
*WARNING – SALES PLUG*
Alternatively, I could come and do it for you. My DPIA training content has been very well received with various clients and I LOVE training on DPIAs. Also, I have a cat to feed. Think of the poor kitten! (I’m really not below emotional blackmail, even with a toy cat).
Don’t ‘punish’ staff for not knowing the answer to some fields. In an ideal world a DPIA should be done at the very early stages of a project or activity. So, at idea formulation stage in the most ‘ideal world’. At that stage, most of the finer detail is unknown to everyone concerned.
Questions like ‘how will you ensure personal data can be searched for an SAR’ is, quite rightly, going to met with blank faces. It is quite right that the person filling it just doesn’t know yet. They are doing the DPIA to pull out all the things it needs to consider and, heaven forbid, may actually want our help and advice to get it right from the word go. So embrace that. It’s perfectly fine to leave some bits empty as we can record it as a potential area of concern and provide advice on what would be required in order to mitigate any risk.
Otherwise they will feel pressured into getting you an answer and either make one up, put in the worlds most non-commital answer ever, or just not complete your DPIA until further down the line when they feel more of the answers may be ready for ‘assessment’. And at that stage, it may be too late…
P.S. Fundamentally, if your DPIA is expecting a fully baked idea before ut’s completed then that’s not really ‘Data Protection by Design’ now is it? I’ll eat my hat the day any business area presents me a fully baked ‘perfect’ cake with all the Data Protection concerns covered off before a DPIA goes anywhere near it. If you have experience of someone doing this in your organisation, I want to hear from you. I also expect you to have marked the occasion with a photograph and cake. Otherwise I reserve the right not to believe you.
2. Slow and steady wins the race. Why the hurry?
Many DPIA forms seem to be written to just get the person filling them in through the process and even, on occasion, tick a box and move on. We, as the Data Protection person, then complain that the business sees the whole thing as a ‘tick box exercise’. Well, can you really blame them? Our entire form is designed to speed them through the process without really thinking about what impact there is to what they are actually doing. It doesn’t feel like a discussion, it feels like a medical questionairre before an operation and I don’t to delcare that I had breakfast this morning (or that I’m technically a ‘binge drinker’. I hate that term, but that’s a discussion to be had over a bottle a wine).
Slow and steady wins the race. Focus your questions on what someone is looking to do or, in most cases, is already doing. The WHAT of what they are doing is often even more important than the WHY.
Right answer for the right question. Focus your questions on drawing out the outcomes of what they are doing and the specific steps they are doing through in order to get there. They will (or should) know what the answers to those questions are. They know in their minds what it is they want to achieve so if your questions are not pulling that out of them, then change them to questions that do.
Sometimes simple is better. It could literally be something as simple as ‘what are you looking to achieve’ and ‘how are you looking to achieve it’. Then give us details of how you see this working. Do you even know how you see this working yet?
3. Plumbing is about the flow. Beggining, middle and end.
The best way of delving into the HOW of what someone is doing, is to get into the flow of data. How, where, when how. I love it! People can say what they want about high aiming statements like ‘to drive down crime’ or ‘reduce deaths’ etc. All of which are worthy causes, don’t get me wrong, but the devil is quite literally in the detail. And if the detail shows what they are doing isn’t ever likely to make any real difference to reducing crime then that lovely ‘mission statement’ is about as valuable as the paper it is written on.
This is where you put on your ‘Inspector Clueso’ pants and dig dig dig. What is this? How does that work? Who is doing this. Where does that come from?
You are the DPO (or similar). If you have no idea what the DPIA is about then of course you’re well within your superhero rights to go digging.
Are you really being clear? And is that your definition of ‘clear’ or your average member of staff’s defintion of clear? Do your questions (or training and guidance) make it clear that we have to capture the specifics of what is happening and that, as well as meeting our purposes, it is also a really useful exercise for them as well? If not, why not! A really good area to add value back to their whole process so (to use an Essexism), why not ‘big it up’? (Yes I threw an Essexism in there. I’m not proud (I am proud)).
Good stories have a beginning, middle and end. In the story of whatever it is the DPIA is on, in order for them to live happily ever after, their story must have a beginning, a middle and an end. Do your questions pull this out? Do staff even know what on earth that means? Look at your questions, if you think that the question clearly doesn’t encourage the person completing it to think of the full lifecycle of their ‘story’ then change it.
Men don’t read maps. We all know that’s a generalisation (or is it…?) but the point here is that most staff have never had to make such a data flow map before. Do they know what to do? Have they ever been trained on it? If not, why not through that into your training and culture programme? Don’t assume that these things come easily to your average member of staff, mapping and process analysis is a skill like any other therefore has to be learned. So have they ever learnt it?
4. Yes, but why? Don’t be afraid to challenge!
One of the other things we discussed was that people completing DPIAs very rarely have all the answers. Sometime rightly and sometimes infuriatingly wrongly. Therefore, who does know? Who does know how this technology works? Who does know what ‘legal power’ we are using to do X or Y or Z? Are staff trained to find out? Do you have a network of champions or key roles that can help answer that question?
People don’t know what they don’t know. If they have no idea who in IT can help them, provide them with a list of agreed contacts who can. A process or contact point (or whatever you agree) where the person filling in the DPIA can get access to more specialist knowledge and support to help them with what they are doing. Otherwise its the same as me asking you to build ikea furniture with instructions solely written in Swedish and no translator. I think I know how to put a drawer together, but it’s Ikea so all bets are off. (or other just as frustrating furniture providers are available).
And if they don’t know, who does know?. Not only give the person completing the DPIA a key contacts list, but also have one for yourself. Key people in the organisation, IT, HR etc that can help you measure the impact and answer any questions that you have. They really do pay off and means you then have a network of people that also understand DPIAs (and you) a little bit better.
Don’t be afraid to go fishing. Follow the trail of thought. If you look at something and its not clear to you what on earth is going on, or you need to assume bits of it yourself for it to make sense, then go back and clarifty. We are all under time pressures with DPIAs are concerned, but a lack of clarity or making assumptions will often lead to the mother of all balls-ups. If it’s not clear to you then you can’t assess the impact and therefore cannot adequately do your job as the Data Protection Officer (DPO). So, based on your circumstances and pressures, don’t be afraid to go fishing until you get the clarity needed to determine what is going on.
5. Impact is just one aspect of risk. Don’t be afraid to think outside the box.
While there is an international standard on the management of ‘risk’, every organisation still approaches it in different ways and has different approaches for scoring and managing it. Therefore a ‘one size fits all’ for DPIAs, just doesn’t really work in my book. However, that are some key lessons that we discussed that everyone can keep in mind for their specific DPIA/Data Protection risk programme.
In the discussion we agreed that the ‘risks’ we see in DPIAs tend to be very ‘samey’, focus on the obvious areas of Data Protection risk and, as we talked about earlier, focus on the organisation’s compliance and not really the impact to the individual concerned. The organisation’s compliance is important, but that isn’t the centre of your DPIA. Otherwise you can miss some key fundamentals (please don’t make me quote the Track and Trace DPIA again).
Get out of your head. We human being are very good (almost experts) at managing risk in our heads. We assess, discount, accept or reject risks almost every moment of every single day. Therefore, when in the real world we have to risk assess something, we have already assessed it in our head and will discount some threats/likelihoods/controls before they ever make it to paper or come out of our mouths.
This is a mistake. The best risk advice I was ever given, that has helped me time and again, was to get out of your own head when looking at risk and impact. Consider everything and explore everything. Even the outlandish things. Throw them into the mix THEN stick on your ‘serious’ pants and look at everything you’ve got applying logic and ‘proof’ that X or Y could never happen or is unlikely to happen because of Y.
Assume nothing. Linked to the above, we assume certain things are a given and will happen by default. Especially where things like technology are concerned. But that is an assumption, and an ASS-UMp-tion does what? Therefore, if you are relying on a control to mitigate something, who owns that control? How do you know it is in place and indeed will remain in place? The magic IT fairies don’t just make stuff happen, some poor soul has to, so who is that poor soul? What are the controls that support that control I am relying on, therefore, can I actually rely on it??
Get into the head of the individual’s concerned. That sounds a little creepier than I meet it to be. I mean put yourself in their shoes. What is the impact of a CCTV camera picking up the movements of an unsuspecting pedestrian on the high street? What is the impact if a pub doesn’t secure my personal data and my girlfriend gets hold of it to prove I had a drink with my ex the other day?
We know what our maps of the world tell us, therefore to determine ‘impact’ to individuals we really do have to park our own maps of the world and see the impact of this activity through their eyes.
6. Who signed for this? Are you giving a ‘DPO approval’ and what does that mean?
Most people in the room agreed there was a space on the DPIA for a ‘DPO approval’, but there was a mixed response as to what this meant. For some, it was an approval to move to the next stage in your overall governance controls. For others, it was a formal approval for the activity to proceed.
If the DPO is the independant ‘critical friend’, responsible for nothing other than their own advice and tasks under GDPR, can a DPO really give an ‘approval’ for something to proceed. Or, instead, can they only confirm that a DPIA has beeen completed and all actions agreed and/or implemented?
Be clear what the DPO ‘signs for’. If you’ve been giving approvals up until now, don’t be surprised that the organisation then sees DPIAs as your responsiblity and not theirs. Psychologically, getting and approval/support for something rather than clearance that what you have done is right are 2 very different mindsets. If the organisation knows that you, as the DPO, will give advice, guidance, and will check the overall process they will act and behave accordingly. Whereas, if they are simply seeking your yes/no, they will behave accordingly and differently to the above. So be clear on what precisely you are ‘approving’ and make it clear the DPIA (and risks) are owned and ‘accepted’ by the organisation, not the DPO.
Where do high risks go? Do you have an escalation process? So if that a ‘high risk’ is highlighted, it can go to the person at the appropriate level to review and accept or reject. Make sure people completing the DPIA are aware of that and trained on it so they know that, potentially, a senior director in another part of the business has the power to veto what you are doing if it’s high risk enough. Bad news up front always goes down better than a last minute ‘by the way’.
What role does someone like the SIRO have in all of this? As part of that escalation process, if you have a Senior Information Risk Owner (SIRO) what role to they play in all of this? And what to they need from you in order to understand what it is you are presenting them and asking them to review. Do they need training on your DPIA process and their role within it? If it helps, give it to them. I’d rather have a SIRO on side then resisting me because they don’t understand their role in DPIAs and therefore avoid it.
The end! Finally…
DPIAs are a really useful tool for assessing the use of personal data. That’s a given otherwise why are they now mandatory in certain circumstances. They are also a good method for you to better understand the organisation that you are advising, as well as a good medium for the person filling in the DPIA to learn more about data and data protection. So while yes, the DPIA has to do certain things, why not also make it an opportunity to educate (both you and them), upskill staff and maximise on the benefits a good DPIA process can bring?
Hopefully these have given you some food for thought. Let me know if you have any other areas of feedback we can add in to the mix or if you want to know more about anything we discussed. Similarly, if you’d appreciate a webinar on an area of Data Protection to throw around some ideas and best practice, let me know!
Oh, the point we also discussed on ‘Information Maturity Models’ I’ll pick up in another post (as this one was long enough already). So watch this space.
(P.S. I’m available for a reasonable fee to help you on your DPIA development journey. And don’t look at me like that, I have a cat to feed…)
Lighthouse IG is a freelance data specialist firm supporting a range of organisations on their data related challanges. From training and skills for staff through to providing advice and guidance on new projects and initiatives Lighthouse IG can help you in a practical, ethical, accountable and affordable way. We also offer template forms, including Data Protection Impact Assessments, for your use and to build on. For more information pay a visit to the Lighthouse reception area at www.lighthouseig.com.