Step 6: How do we identify mitigating measures?
Against each risk identified, record its source. You should then consider options for reducing that risk. For example:
- deciding not to collect certain types of data;
- reducing the scope of the processing;
- reducing retention periods;
- taking additional technological security measures;
- training staff to ensure risks are anticipated and managed;
- anonymising or pseudonymising data where possible;
- writing internal guidance or processes to avoid risks;
- using a different technology;
- putting clear data-sharing agreements into place;
- making changes to privacy notices;
- offering individuals the chance to opt out where appropriate; or
- implementing new systems to help individuals to exercise their rights.
This is not an exhaustive list, and you may be able to devise other ways to help reduce or avoid the risks. You should ask your DPO for advice.
Record whether the measure would reduce or eliminate the risk. You can take into account the costs and benefits of each measure when deciding whether or not they are appropriate.
Step 7: How do we conclude our DPIA?
You should then record:
- what additional measures you plan to take;
- whether each risk has been eliminated, reduced, or accepted;
- the overall level of ‘residual risk’ after taking additional measures; and
- whether you need to consult the ICO.
You do not always have to eliminate every risk. You may decide that some risks, and even a high risk, are acceptable given the benefits of the processing and the difficulties of mitigation. However, if there is still a high risk, you need to consult the ICO before you can go ahead with the processing.
As part of the sign-off process, you should seek and document DPO advice on whether the processing is compliant and can go ahead. If you decide not to follow their advice, you need to record your reasons.
You should also record any reasons for going against the views of individuals or other consultees.
What happens next?
You must integrate the outcomes of your DPIA into your project plans. You should identify any action points and who is responsible for implementing them. You can use the usual project-management process to ensure these are followed through.
You should monitor the ongoing performance of the DPIA. You may need to cycle through the process again before your plans are finalised.
If you have decided to accept a high risk, either because it is not possible to mitigate or because the costs of mitigation are too high, you must consult the ICO before you go ahead with the processing. See the next section for more information on this consultation process.
To aid transparency and accountability, it is good practice to publish your DPIA. This could help foster trust in your processing activities, and improve individuals’ ability to exercise their rights. If you are concerned that publication may reveal commercially sensitive information, undermine security or cause other risks, you should consider whether you can redact (black out) or remove sensitive details, or publish a summary.
When considering publishing DPIAs, public authorities should think about their wider transparency obligations, such as complying with the Freedom of Information Act. Before UK GDPR, many public authorities included privacy impact assessments in their definition documents for publication schemes.
You need to keep your DPIA under review. You may need to repeat it if there is a substantial change to the nature, scope, context or purposes of your processing.