Our Insights

The ICO's guidance on GDPR

UK-based asset managers will need to conduct impact assessments when processing data that may result in a "high risk" to individuals' rights and freedoms

Ahead of the May 25, 2018 implementation date of the General Data Protection Regulation (GDPR), the United Kingdom's Information Commissioner's Office (ICO) has published a guidance note on compliance with the sweeping new data protection regime.1 GDPR will usher in a new era of stringent protections around the use of customer data for transactions that occur within European Union (EU) member states. 

UK-based asset management firms will need to ensure they understand their responsibilities for the protection of customer data under the ICO guidance. Any firm in breach of the ICO data protection requirements could incur significant fines. 

Assessing the impact of data rocessing 

Key insights

  • New guidance published by the Information Commissioner's Officer in the UK spells out a broad range of circumstances under which firms will need to conduct data protection impact assessments
  • Any data processing activities likely to result in a "high risk" to individuals' rights and freedoms, including profiling or the use of biometric, genetic or location data, will mandate the completion of an impact assessment
  • The ICO has set out a template for conducting DPIAs , which UK-based asset managers will need to study closely to ensure compliance ahead of the GDPR's implementation date on May 25, 2018

The main takeaway of the ICO guidance is that UK-based asset managers will need to conduct a data protection impact assessment (DPIA) before carrying out the types of data processing likely to result in high risk to individuals' rights and freedoms. If the firm finds it cannot mitigate the risk on its own, it will need to consult the ICO for further guidance.  

A DPIA is a process designed to help firms systematically analyze, identify and minimize the data protection risks of their operations. DPIAs replace privacy impact assessments (PIAs), which have been used by financial services firms in the UK for a number of years as a good practice measure to identify and minimize privacy risks associated with new projects. DPIAs are similar to PIAs but include important differences: they are mandatory for any high-risk use of customer data; they are broader in scope, since they include potential infringement of any individual rights and freedoms (not just privacy rights); and they require a more exhaustive assessment of impact, including soliciting the views of people whose data firms intend to process. Firms that already conduct PIAs will need to ensure they are compliant with the more stringent requirements of DPIAs; those that don't conduct PIAs will need to embed the DPIA regime into their business practices.  

DPIAs required in a wide range of circumstances  

According to GDPR, firms must perform a DPIA before beginning any type of processing, for any type of project, which is “likely to result in a high risk" to any individuals' rights and freedoms under EU law, the scope of which includes: 

  • the use of systematic and extensive profiling with significant effects
  • the processing of special category or criminal offense data on a large scale
  • the systematic monitoring of publicly accessible places on a large scale

In addition, the ICO also requires firms to conduct a DPIA if they plan to: use new technologies; apply existing technologies (such as artificial intelligence) in novel ways; process biometric data; process genetic data; match data or combine datasets from different sources; collect personal data from a source other than the individual without providing them with a privacy notice ('invisible processing'); or track individuals' location or behaviour. 

The intent of the DPIA is to identify the true scope of the risk once firms perform that initial screening

GDPR does not include specific guidance on when data processing is “likely to result in a high risk." The ICO recommends approaching the initial evaluation on a broad, common sense basis. The intent of the DPIA is to identify the true scope of the risk once firms perform that initial screening. Firms are exempt from DPIAs in only rare circumstances, such as if the data in question is being processed according to a clear legal/statutory obligation, or the data processing operation falls under a forthcoming list of express exemptions to be published by the ICO. 

The DPIA template 

Although firms are free to conduct DPIAs as they see fit, the ICO has provided an assessment template. The key steps in the exercise are for firms to describe the data processing they plan to undertake (how data will be collected, stored, used, etc., with whom it will be shared, and how long it will be stored), assess the necessity of the data processing within the scope of the project's overall business objective, identify the potential risks, and consider measures to mitigate those risks. Importantly, the ICO guidance says that firms must seek the views of the individuals whose data is to be processed (or their representatives) unless there is a good reason not to.

Firms need to consider whether the data processing could potentially contribute to an individual's inability to exercise rights

The assessment of risks should be “objective." In particular, firms need to consider whether the data processing could potentially contribute to an individual's inability to exercise rights (including but not limited to privacy rights), or result in the loss of control over the use of personal data, among other scenarios. 

Where a DPIA concludes that data processing associated with a particular process is likely to result in a high risk to individual rights and freedoms, firms must integrate measures to reduce that risk in their business operations. Firms must consult the ICO if a DPIA has identified a high risk and measures cannot be taken in-house to reduce the risk. The ICO intends to provide a response containing appropriate guidance within 8 to 14 weeks. 

The reputational benefits of compliance 

The ICO has stressed the degree to which DPIAs need to be kept under review and regularly updated to ensure accountability. The guidance also recommends building a culture of DPIA awareness within organizations, so that data protection is integrated into business practices on an ongoing basis. Firms with robust and rigorous DPIA processes will, the ICO says, reap considerable reputational benefits. Publishing DPIAs, for example, could help firms foster trust in their processing activities and ensure they are seen as “good actors" in the EU's bold new era of data protection. Asset management firms will need to study the ICO's guidance closely as the GDPR's implementation date approaches.

You may also like


  1. Information Commissioner's Office (March 22, 2018) Consultation: GDPR DPIA guidance