What’s involved in a DPIA?

A DPIA is designed to show that you have considered the Data processing risks and minimised those risks - a risk being defined as something that could ‘do harm’ to an individual.

The basics of a DPIA are:

• description of the nature, scope, context and purpose of the data processing

• assessment of the necessity and proportionality of measures

• identification of risks to the individual

• identification of measures to mitigate risks

Facial recognition and Data Protection laws

If you’re a commercial organisation planning on installing a facial recognition system, you need to do a DPIA - to make sure all personal data processing risks are considered.

If implemented properly, facial recognition CCTV systems is not a high risk to personal data processing, however all risks need to be considered.

Facial recognition and Data Protection considerations

Key data processing & data protection considerations that need to be taken into account when implementing a facial recognition CCTV system include:

• The nature of data processing: how you will collect, use, store and delete data. What the source of data is. Whether data will be shared with anyone else.

• The nature of the data itself: what data are you collecting. Does the data include any criminal offence data. How long will you keep it for. How large is the data set (i.e. how many people will it cover). What geographical area does it cover.

• The context of the processing: what’s the relationship with the individuals you are collecting data on. What level of control will the individuals have on the data. Does the data cover ‘vulnerable groups’ (e.g. children). Is there any known security issues with the technology used.

• What’s the purpose of the processing: what do you want to achieve. What are the benefits of the processing.

• Consultation: how do you intend on consulting individuals. If you do not consider consultation, what is the justification.

• Assessment of necessity & proportionality: does the processing achieve the purpose. Are there other ways of achieving the same goal. How do you support individuals rights.

• Risk identification: what are the risks and impact on individuals. Where the corporate risks.

• Risk reduction: what ideas do you have to reduce risks.