Data Protection Impact Assessment (DPIA)

Do we need a DPIA for Life QI?

A DPIA (also known as privacy impact assessment or PIA) is an assessment tool which is used to identify, assess and mitigate any actual or potential risks to privacy created by a proposed or existing process or project that involves the use of personal data.

Article 35(1) of the GDPR says that a DPIA must be completed where the type of processing is "likely to result in a high risk to the rights and freedoms" of individuals. The GDPR doesn't define "likely to result in high risk", and this is left to organisations to interpret.

Whilst DPIA requirements can vary between organisations, it is very unlikely that a DPIA is required to use Life QI, based on the guidance given in the GDPR and elsewhere.


DPIA requirements from the GDPR

Article 35(3) of the GDPR identifies 3 types of processing which always require a DIPA:

  1. Systematic and extensive profiling with significant effects
  2. Large scale use of sensitive data
  3. Public monitoring

Life QI does not process data in any of these ways.


Other processing that might be considered high risk

The Article 29 working party of EU data protection authorities (WP29) published guidelines with nine criteria which may act as indicators of likely high risk processing:

  • Evaluation or scoring.
  • Automated decision-making with legal or similar significant effect.
  • Systematic monitoring.
  • Sensitive data or data of a highly personal nature.
  • Data processed on a large scale.
  • Matching or combining datasets.
  • Data concerning vulnerable data subjects.
  • Innovative use or applying new technological or organisational solutions.
  • Preventing data subjects from exercising a right or using a service or contract.

Life QI does not process data in any of these ways.