What is a High Risk Assessment for Data Protection?
A High Risk Assessment (HRA) is a mandatory screening process used to determine if a data processing activity is likely to result in high risks to individuals. Under the Data Protection Act (2018), organizations must conduct an HRA as a preliminary step to decide if a full Data Protection Impact Assessment (DPIA) is legally required.
When is a High Risk Assessment Required?
An organization must perform a High Risk Assessment when it initiates new processing activities. This ensures that if the activity uses innovative technologies or involves large-scale monitoring it is possible to identify that a DPIA is needed. A DPIA is a statutory requirement to evaluate whether processing activities, such as automated profiling or handling sensitive criminal data could significantly impact the rights and freedoms of the data subjects involved.
What are the Criteria for Identifying High-Risk Processing?
The Information Commissioner’s Office (ICO) identifies some primary criteria for high risk:
- evaluation or scoring,
- automated decision-making,
- systematic monitoring,
- sensitive data processing,
- large-scale data handling,
- matching datasets,
- vulnerable data subjects,
- innovative technology use, and
- any processing that prevents individuals from exercising their legal rights.
If two or more criteria are met, a DPIA is generally mandatory.
How Do You Screen for High Risk in New Projects?
To screen for high risk, organizations should utilise a structured checklist during the initial project planning phase. This involves assessing the nature, scope, and context of the data processing to determine the likelihood and severity of harm to individuals. If the screening confirms a “high risk,” the organization must proceed to a formal DPIA to mitigate those threats effectively.
How Can ProvePrivacy Help Automate High Risk Assessments?
ProvePrivacy simplifies the screening process by providing an integrated High Risk Assessment tool that guides users through essential compliance checklists. The platform automatically triggers alerts when high-risk thresholds are met, ensuring that organizations seamlessly transition from a preliminary screening to a full DPIA while maintaining a robust audit trail for regulatory accountability.
Comparison: Manual Screening vs. ProvePrivacy High Risk Assessment
| Feature | Manual Checklist | ProvePrivacy High Risk Assessment |
|---|---|---|
| Consistency | Highly subjective and variable | Standardised screening logic |
| DPIA Triggers | Risk of manual oversight | Automated alerts for high-risk data |
| Compliance History | Fragmented documentation | Centralised audit trail |
| Regulatory Alignment | Requires constant manual updates | Pre-mapped to ICO & GDPR criteria |
| Project Integration | Often completed too late | Integrated into the RoPA |
Sources
- Data Protection Act (2018): https://www.legislation.gov.uk/ukpga/2018/12/contents
- ICO Guidance on DPIAs and High Risk: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/when-do-we-need-to-do-a-dpia/
