Mishcon de Reya page structure
Site header
Main menu
Main content section

Data Protection Impact Assessments (DPIAs): critical in the next phase of our "new normal"

Posted on 13 May 2020

As the country starts to consider steps to enable a return to work, employers and occupiers of buildings will be faced with difficult, even stark, choices about who to admit to premises, and how. Some form of social distancing is likely to remain in place, but even more importantly, it is going to be necessary to ensure that those who do return to work, or those who are allowed into others' work places, are free from coronavirus.

Employers and occupiers will want to consider who can be privy to information about the health of those coming into a building, and may also want to explore ways of fairly and safely excluding those who may be infectious. Excluding someone from a work place, or treating them differently to others on the basis of their health, is potentially a highly intrusive and discriminatory act, and a significant interference in their rights and freedoms, however justified.

All of this will require careful planning but, to the extent that personal data about people's health is involved, it will also require an equally careful analysis of the data protection implications. This is where undertaking a "data protection impact assessment" (DPIA) can be not just a useful risk-assessment tool, but also constitute a strict legal obligation. Article 35 of the General Data Protection Regulation (GDPR) mandates a DPIA where "a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons".

The Information Commissioner's Office (ICO) has this week confirmed that employers and occupiers are likely to need to undertake DPIAs as lockdown relaxes. The advice of a data protection officer (where one has been appointed) should be sought, but GDPR also requires that a DPIA involve:

  • a systematic description of the envisaged processing operations and the purposes of the processing;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of data subjects; and
  • the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with GDPR.

It's imperative that businesses are able to operate with a semblance of normality as quickly as possible, but we have to accept that for the foreseeable future this is going to be far from "business as usual".

Practical guidance for COVID-19
Read the latest COVID-19 related updates on our hub.

Related Content
News

Mishcon de Reya's Data Team ranked again in the GDR global top 100

News

Clarity of consent in fertility treatment

abstract black architecture News

Data breach crisis in central government, time for ICO to act?

News

New keeling schedules published for Data Protection Bill

News

ICO orders employer to stop using facial recognition and fingerprint scanning to monitor its employees

News

Mishcon de Reya advises Hewlett Packard Enterprise on £225 million deal to build the UK's most powerful AI supercomputer

data-blue News

Anonymisation in the life sciences sector: challenges and legal considerations

News

The Princess of Wales and possible data protection offences and infringements

Blue data abstract News

AI in the Workplace: data protection issues

Abstract crypto data News

CJEU rules in relation to personal data and advertising

News

UK Home Office data protection law breach: Jon Baines comments

Abstract glowing blocks News

Is time running out for the Data Protection and Digital Information Bill?

How can we help you?
Help

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

I'm a client

I'm looking for advice

Something else