Data protection regulations can be seen as the bane of anyone who collects or maintains personal data. We, with our dependence on email marketing lists, have to make a considerable investment with regards to research and training staff, so being told by the ICO that we might need to make a Data Protection Impact Assessment (DPIA) might be met with a certain resignation.
In case you don’t know what a DPIA is, you must/should complete one if the processing or personal data is likely to result in high risk. It should not be looked on as an imposition so much as a safety procedure that can protect you, your company and staff, in dangerous circumstances. In fact, it should be considered in any major process that includes personal data.
The advertised function of a DPIA is, according to the ICO, to ‘help you identify and minimise the data protection risks of a project.’ Whilst you should not quote me on this, previous actions by the ICO tend to indicate that if there is a problem and the ICO investigates, the fact that a DPIA was completed properly will go some way to mitigate any penalty.
Suggesting that you ‘did your best’ is not enough on its own. A certain level of competence is required when handling personal data. As we maintain email marketing lists on a daily basis, processes should be as secure as possible.
The ICO states that if a DPIA is required, see later, it must:
1/ describe the nature, scope, context and purposes of the processing;
2/ assess necessity, proportionality and compliance measures;
3/ identify and assess risks to individuals; and
4/ identify any additional measures to mitigate those risks.
Number 3/ is the difficult bit of course, as it requires judgement. The ICO gives advice on what to consider, such as the likelihood and severity of the impact on individuals. You should document the reasons you came to your conclusions.
You should consult your data protection officer and, if necessary, other specialists. If you identify a high level of risk to individuals but can mitigate it with additional procedures, then the risk level drops. If you can’t then you must consult the ICO before starting.
The ICO assumes that it would not be the norm for them to be sent DPIAs. It promises to give written advice within eight weeks, but, in complex cases, this extends to 14. They may then issue a formal warning not to process the data or to stop processing altogether.
Why should you bother? There are always risks with building, maintaining and processing email marketing lists, and you will have processes in place to ensure that these risks are kept to a minimum. Nice as it would be to suggest that they can be eliminated, it can’t be done with any process that requires input from individuals.
Instigating a DPIA, either because it is required or you feel it appropriate, is a way of ensuring your data is safe. That’s a decent target for anyone in email marketing.