Introduction
WeThrive is fully committed to protecting the personal data of its customers, employees, suppliers and other stakeholders in accordance with the EU and UK GDPR, the UK Data Protection Act 2018 and other privacy legislation. We take data privacy seriously and have initiated a variety of methods and controls to ensure we know how we handle and protect personal data.
As part of this commitment, WeThrive ensures that all activities that involve the processing of personal data where there may be a high risk to the data subject are subject to data protection impact assessments (DPIAs). The purpose of the assessment is to ensure the risks to the data subject of any processing activities is understood and suitable mitigations have been made prior to processing.
This document outlines the DPIA procedure.
Scope
The scope of this procedure is all processing involving personal data that is carried out by WeThrive.
Responsibilities
WeThrive recognises that it has a corporate responsibility to ensure that all data is processed in accordance with any relevant legislation and guidance to which it is subject to.
All individuals covered by the scope of this policy are responsible for ensuring they understand when a DPIA may be needed and instigate one where required.
The project leader is responsible for conducting the DPIA with the DPO and for instigating the procedure.
The Data Protection Officer is responsible for conducting the DPIA in partnership with the owner of any new project/system/process that is being considered.
The Data Protection Officer is responsible for communication with the Supervisory Authority where required (Prior Consultation as per Article 38) under the instruction of the Commercial Director.
The Data Protection Officer is responsible for making recommendations on whether the processing can proceed.
The Commercial Director is responsible for the final decision on whether processing will proceed.
The Data Protection Officer is responsible for reviewing the DPIA and defining the time scale for review.
Establish need and context
There are a number of criteria that determine when a DPIA should be carried out. Article 35 of the GDPR states that a DPIA shall be required when the proposed processing involves:
Systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significant affect the natural person;
Processing on a large scale of special categories of data referred to in Article 9(1) or of personal data relating to criminal convictions and offences referred to in Article 10; or
A systematic monitoring of a publicly accessible area on a large scale.
In general, WeThrive specifies that DPIAs are appropriate for projects where one or more of the following applies:
Where there is a high risk to the data subject;
Use innovative technology (in combination with any of the criteria from the European guidelines);
Use profiling or special category data to decide on access to services;
Profile individuals on a large scale;
Process biometric data (in combination with any of the criteria from the European guidelines);
Process genetic data (in combination with any of the criteria from the European guidelines);
Match data or combine datasets from different sources;
Collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’) (in combination with any of the criteria from the European guidelines);
Track individuals’ location or behaviour (in combination with any of the criteria from the European guidelines);
Profile children or target marketing or online services at them; or
Process data that might endanger the individual’s physical health or safety in the event of a security breach.
If there is uncertainty as to whether it is appropriate to carry out a DPIA, the Data Protection Officer should consult with the Commercial Director for clarification and further guidance. On behalf of the Commercial Director, the Data Protection Officer, where necessary, may consult the ICO or other legal representatives for further guidance. If the result of any guidance is inconclusive, the default approach will be to conduct the DPIA.
PROCEDURE
For any new project involving the processing of personal data, the project leader should:
Identify the need for the DPIA in accordance with the criteria outlined in section 4.0 of this procedure – if in doubt, consult with the (Data Protection Officer).
Create a DPIA using the DPIA template provided.
Complete as much of the DPIA as possible.
Refer to the Data Protection Officer for support on completing the rest of the DPIA.
Risks will be assessed according to the likelihood and impact scales defined in the DPIA template.
Once completed, the Data Protection Officer will review the DPIA and make recommendations on whether processing can proceed. The Data Protection Officer will also recommend a review period for the DPIA.
Where the residual risk of processing is high, the Data Protection Officer on behalf of the Commercial Director will refer the DPIA to the ICO for prior consultation. This will involve providing the ICO with the following information:
Details of the respective responsibilities of the controller, joint controller, and processors (where applicable);
Purpose and means of processing;
The controls that will be implemented to protect the data;
Contact details of the Data Protection Officer; and
A copy of the DPIA.
The final decision for processing will be made by the Commercial Director. Where the Commercial Director overrules the recommendations of the Data Protection Officer, this will be documented in the DPIA.
Processing must not start until the Commercial Director has approved it.
The Data Protection Officer will review the DPIA in accordance with the review period and at least annually. The review period will be recorded in the DPIA log.