Our response to the ICO's draft Guidance
The Independent Commissioner’s Office, the UK regulatory body governing data protection, published its draft guidance on data protection impact assessments (“DPIA”) in light of the GDPR on 22 March 2018. The consultation period closed on 13 April 2018.
Our Data Protection team produced a detailed critique of the ICO’s Draft Guidance which is available in full here.
In summary, it is our view that the Draft Guidance is effective in explaining what a DPIA is but it is generally unclear, lacks hypothetical examples and fails to achieve the aim of being flexible enough to work for organisations of any size and in any sector. We believe that this Draft Guidance must be reviewed and any errors or omissions corrected before the final guidance is published. Our consultation response provides our detailed thoughts on each of the points that we have summarised below:
- Consultation and Publication of DPIAs
The draft guidance fails to identify when a data controller should consult with its data subjects, how long for and in what circumstances it would be appropriate to do so. We call on the ICO to clarify this. The ICO’s guidance also introduces the idea of publishing a DPIA; this is not a requirement under the GDPR and requires further explanation.
- Prior Consultation with the ICO
The draft guidance outlines the process for submitting a DPIA to the ICO for consultation, however it fails to explain the process for re-submitting a non-compliant DPIA for further review. In addition to this we call on the ICO to provide examples of circumstances when it will impose its draconian ban on processing.
- What is “high risk”?
The draft guidance frequently mentions the concept of “high risk”. We are concerned with the lack of hypothetical examples relating to what kinds of processing will constitute “high risk” across a number of sectors and seek this clarification from the ICO.
- Lack of hypothetical examples
Perhaps the most significant failure of the draft guidance is that it fails to provide any hypothetical examples. We believe that mock examples upon which businesses can rely on to make judgments about the key issues raised by DPIAs are essential.
- New Technologies
The draft guidance lacks clarity on the extent to which businesses will be required to conduct a DPIA to review “old” technologies already used and implemented by businesses.
- Impact on society
The draft guidance identifies that the impact on society as a whole may be a relevant risk factor when identifying risks caused by processing personal data. The GDPR makes reference to the impact on data subjects, not society as a whole. We believe that this notion in the guidance goes beyond the scope of the GDPR and the ICO should identify how businesses are expected to measure what constitutes a risk to society at large.
If you would like further information on the above response or if you need any assistance on getting GDPR compliant, please contact Matthew Holman, or you can give us a call on 0345 070 6000.