Data protection impact assessments (DPIAs) are good. No, more than good, they are essential. However, they are not a silver bullet. DPIAs often look at the system being used to collect the data and the technical processes and safeguards it has. This is critical, essential, but again, not a silver bullet.
It assumes other critical pieces of data protection are occurring – three primary assumptions.
- First, it assumes that the data being collected is being collected for a particular purpose. Often this is called something like the ‘purpose limitation’ principle. In simple terms, collect data for a particular purpose.
- Second, it assumes the process of collecting data is fair, transparent, unbiased, and inclusive. This is about process and the person(s) collecting the data. This is where data protection connects with privacy, consent, awareness, safeguarding, and rights.
- Third, it assumes the least amount of data needed to achieve the purpose is being collected. This is called the ‘data minimisation’ principle. Collect the least amount of data you need. Don’t be speculative. The smaller the dataset, the smaller the risk to the person and to the organisation holding the data.
Unfortunately, many DPIAs don’t check these assumptions. And yes, checking these assumptions is much more difficult than checking technical systems. And yes, even if we do check these safeguards it still won’t be a magical silver bullet. Nothing is. However, if we do take a broader view of data protection assessments, there will be greater buy in across the organisation or project. Staff will understand that data protection is not the job of IT.
The choice is up to us.