The UK ICO's 10 Criteria for DPIAs

When do you need to carry out a DPIA under UK GDPR?

UK GDPR

This blog focusses on the UK GDPR and, in particular, the UK ICO’s guidance on when to do a DPIA to consider under UK GDPR when deciding whether a DPIA is required. And we’ve a great infographic for you to download and keep as a cheat sheet!

EU GDPR

If you’re covered by the EU GDPR, we’ve other blogs and infographics on the EDPB Guidelines’ famous 9 Criteria and the EDPB’s 9 Worked Examples. Those EDPB Criteria are still relevant to UK GDPR, because these UK ICO Criteria need to be read together with the EDPB Criteria.

Let’s start with the UK ICO’s Guidance on DPIAs.

The UK ICO’s Guidance on DPIAs

The UK ICO’s DPIA Guidance clearly sets out:

• the context from Brexit and the creation of UK GDPR,
• the interaction between the UK and EU Guidelines,
• the test in GDPR Art 35 and the 3 examples in Art 35(3), and
• the UK ICO DPIA Criteria (which refer to the EDPB DPIA Criteria).

So let’s start with a quick refresher on the test in UK GDPR!

UK GDPR’s DPIA Test

DPIAs can always be carried out voluntarily. They’re a great way to set out your thinking, help with planning, ensure efficiencies, head off issues, manage risks and expand rewards. Pretty good!

But they also need to be done, under Art 35 of both EU and UK GDPR, if your processing ‘is likely to result in a high risk to the rights and freedoms of natural persons‘.

3 examples in GDPR itself

Your starting point in deciding whether to carry out a DPIA is Art 35(3) of both EU and UK GDPR. This sets out 3 examples when a DPIA is required:

1. a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person,
2. processing on a large scale of special categories of personal data (Art 9) or personal data relating to criminal convictions and offences referred (Art 10), or
3. a systematic monitoring of a publicly accessible area on a large scale.

This is a non-exhaustive list. The test is still whether or not your processing ‘is likely to result in a high risk to the rights and freedoms of natural persons‘. How to tell?

Enter the UK ICO’s 10 Criteria on DPIAs!

The UK ICO’s 10 Criteria on DPIAs

The UK ICO’s Guidelines set out 10 Criteria to expand on the test in GDPR itself, and to help decide if a DPIA is needed.

It’s important to note that the way you use the UK ICO’s 10 Criteria is different to the way you use the EDPB’s 9 Criteria:

• With the EDPB’s 9 Criteria, you make your mind up based on how may criteria you tick off. The more you tick off, the more likely you need a DPIA – or not. Ultimately the decision is yours.
• With the UK ICO’s 10 Criteria, some of the criteria need a DPIA on their own, and some only if you also tick off one of the EDPB’s Criteria.

Simples.

While we highly recommend you read the UK ICO’s Guidelines in full, we’ve put together a great infographic as a fantastic aide memoire on which is which.

The UK ICO’s 10 Criteria for DPIAs

Criteria #1: Innovative technology

Processing involving the use of new technologies, or the novel application of existing technologies (including AI).

DPIA? Yes, when combined with any of the EDPB Criteria.

Examples: Artificial intelligence, machine learning and deep learning. Connected and autonomous vehicles. Intelligent transport systems. Smart technologies (including wearables). Market research involving neuro-measurement (i.e. emotional response analysis and brain activity). Some IoT applications, depending on the specific circumstances of the processing.

Criteria #2: Denial of service

Decisions about an individual’s access to a product, service, opportunity or benefit that is based to any extent on automated decision-making (including profiling) or involves the processing of special category data.

DPIA? Yes.

Examples: Credit checks. Mortgage or insurance applications. Other pre-check processes related to contracts (i.e. smartphones).

Criteria #3: Large-scale profiling

Any profiling of individuals on a large scale.

DPIA? Yes.

Examples: Data processed by Smart Meters or IoT applications. Hardware/software offering fitness / lifestyle monitoring. Social-media networks. Application of AI to existing process.

Criteria #4: Biometrics

Any processing of biometric data for the purpose of uniquely identifying an individual.

DPIA? Yes, when combined with any of the EDPB Criteria.

Examples: Facial recognition systems. Workplace access systems/identity verification. Access control / identity verification for hardware / applications (including voice recognition / fingerprint / facial recognition).

Criteria #5: Genetic data

Any processing of genetic data, other than that processed by an individual GP or health professional for the provision of health care direct to the individual.

DPIA? Yes, when combined with any of the EDPB Criteria.

Examples: Medical diagnosis. DNA testing. Medical research.

Criteria #6: Data matching

Combining, comparing or matching personal data obtained from multiple sources.

DPIA? Yes.

Examples: Fraud prevention. Direct marketing. Monitoring personal use/uptake of statutory services or benefits. Federated identity assurance services.

Criteria #7: Invisible processing

Processing of personal data that has not been obtained direct from the data subject in circumstances where the controller considers that compliance with Art 14 would prove impossible or involve disproportionate effort.

DPIA? Yes, when combined with any of the EDPB Criteria.

Examples: List brokering. Direct marketing. Online tracking by third parties. Online advertising. Data aggregation / data aggregation platforms. Re-use of publicly available data.

Criteria #8: Tracking

Processing which involves tracking an individual’s geolocation or behaviour, including but not limited to the online environment.

DPIA? Yes, when combined with any of the EDPB Criteria.

Examples: Social networks, software applications. Hardware/software offering fitness/lifestyle/health monitoring. IoT devices, applications and platforms. Online advertising. Web and cross-device tracking. Data aggregation / data aggregation platforms. Eye tracking. Data processing at the workplace. Data processing in the context of home and remote working. Processing location data of employees. Loyalty schemes. Tracing services (tele-matching, tele-appending). Wealth profiling – identification of high net-worth individuals for the purposes of direct marketing.

Criteria #9: Targeting of children/other vulnerable individuals

The use of the personal data of children or other vulnerable individuals for marketing purposes, profiling or other automated decision-making, or if you intend to offer online services directly to children.

DPIA? Yes.

Examples: Connected toys. Social networks.

Criteria #10: Risk of physical harm

Where the processing is of such a nature that a personal data breach could jeopardise the [physical] health or safety of individuals.

DPIA? Yes.

Examples: Whistleblowing/complaint procedures. Social care records.

Assessments made easy – in Keepabl

You can always carry out your assessment outside of Keepabl in Word, a GDoc or however you like to do them, and then upload or link to that assessment in Keepabl and we’ll report on it. But you can make life easier by carrying out the assessment in Keepabl, in our Assessments solution!

Book your demo now and see how easy we make template management, building your own templates, switching between templates without messing up your records, bringing in Contributors (and kicking them off), freezing the assessment for signature, and our own, intuitive, audited signature process.