Ah, Christmas – how I’ve missed thee. Crackers. Mulled wine. Goodwill to all men. And running downstairs to tear open the wrapping paper on a new…statutory code of practice.
This year, I’ll mostly be reading the UK ICO's new data sharing code. The Code doesn’t break much new ground, but it does contain a good amount of practical and useful information, including on data sharing agreements and post-M&A sharing. If you’re at a loose end during the Crimbo Limbo, or can’t deal with being the worst in your family at Dobble (who, me?), it’s worth a look.
The new requirements on data protection impact assessments make for particularly interesting reading. This is an aspect of data protection compliance that some organisations still struggle with, and many won’t have considered it specifically in the context of data sharing.
- The ICO really wants you to conduct DPIAs to assess the risks of transferring data. As you know, whilst DPIAs are good practice generally, they are required for processing (including sharing) that is likely to result in a high risk to individuals. However, the Code repeatedly advises organisations to conduct DPIAs before sharing data, “even if there is no specific indicator of likely high risk”.
- Tellingly, the ICO links the DPIA process to your wider compliance obligations, such as accountability, transparency and security. Where an organisation has taken into account the nature, scope, context and purposes of the sharing, and is “confident that the type of data sharing [it] has in mind is unlikely to result in high risk”, a DPIA isn’t legally required. But how does the ICO suggest you take these things into account? By conducting a DPIA, of course.
- So, whilst certain low-risk projects will still be out of scope, it seems clear that the ICO will expect to see DPIAs being conducted for your chunkier data sharing activities (or, at very least, that you’ve otherwise documented your thought process), even where this isn’t legally required. The Code also makes clear that, in the event of a complaint or investigation, the ICO may ask for your DPIA. Given all of the above, it’ll be a tough sell to argue that you decided not to conduct one.
We recommend that as a first step you carry out a Data Protection Impact Assessment (DPIA), even if you are not legally obliged to carry one out. Carrying out a DPIA is an example of best practice, allowing you to build in openness and transparency.