DPIAs - Essential risk assessments

DPIAs – Essential risk assessments

It is always advisable to carry out a data protection risk assessment (DPIA) when considering a new initiative or a change to existing working practices. There can be hidden privacy pitfalls in new ventures that will be identified at an early stage so that solutions can be found before a particular way of working is hard wired into the project.

An emergency or near emergency is not an excuse for missing out vital compliance steps such as conducting a DPIA, although it is tempting. We hear repeatedly about the “new normal” and the need to adapt but we must ensure that the cost of adaptability does not include privacy incursions and data protection breaches.

It is reported that as gyms are closed and employees based at home cannot use subsidised eateries, organisations are trialling the provision of different perks to employees for example streaming exercise and yoga classes, providing access to mental health apps and delivering snacks to their homes.

It sounds great but then again:

What data will be collected about the health of participants in exercise classes? Back problems and other injuries have to be shared with instructors to ensure that exercises are appropriate to participants.
Who will tell senior management that participation in circuit training is not a factor to take into account when deciding on promotions?
How secure is the mental health app? If the employer recommends its use to its employees there will be an implication that the app, its security and the advice given is sound.
What data will be collected about diet based on the snacks selected by employees? And what will that say about allergies and intrinsically about health issues?
Did employees provide their home address for the purpose of delivering snacks? Are employees being kept informed about how their data is being used?
What are the legitimate grounds for processing in each case?
What assumptions will be made about lifestyle as a result of any of the above?

The lockdown has blurred the lines between home and work but on the other hand, we all have the human right to respect for our private and family life. All of the potential issues identified above can easily be resolved but only if someone asks the questions first. New projects need to pass a number of tests, business fit, IT capability, finance measures and compliance, it is almost worthwhile having a checklist with names and job titles for the SMT to find help with each area.

Active data protection compliance management helps send a signal to business partners, employees and customers about the culture of the organisation. Use the opportunity to make it a good signal:

“We have high standards and we expect the same high standards from you” for business partners
“Don’t forget our compliance standards” for employees and
“We are reputable and trustworthy” for customers.

About the Author: mandy.webster

Since June 1999 Mandy Webster has been a freelance consultant offering audit, advice and training on privacy, information security and e-commerce issues as Data Protection Consulting Limited. The company’s mission is to help clients from a variety of sectors, and of all sizes, comply with data protection law and to that end it offers a range of solutions. Mandy, a qualified lawyer, is author of ‘Data Protection for the HR Manager’ and ‘Data Protection in the Financial Services Industry’ published by Gower and “Effective Data Protection” and ‘The ICSA Data Protection Troubleshooter’ published by ICSA Publishing Limited. Mandy is a well-known writer, commentator and speaker on data protection.

DPIAs – Essential risk assessments