DPIAs for retail and hospitality 

Although DPIAs (data protection impact assessments) are not a new concept, the GDPR (General Data Protection Regulation) now mandates them under certain circumstances. A DPIA is essentially a risk assessment that needs to be conducted before carrying out any processing activities, particularly those “using new technologies”, that are “likely” to result in a “high risk” to the rights and freedoms of natural persons. The primary aim is to reduce the possible harm to the data subject.

A DPIA assesses risk

The DPIA process includes:

  • Determining whether one is legally required (your data protection officer, if you have one, should advise on this);
  • Describing the envisaged processing activities and purposes of processing;
  • Assessing the “necessity and proportionality” of the processing activities against those processing purposes;
  • Assessing the risks to the right and freedoms of data subjects; and
  • Establishing what measures you intend to use to address those risks.

All decisions should be recorded and signed off. You should also integrate any actions in the project plan relating to the new activities you have assessed to ensure the risks identified are addressed and brought within acceptable levels.

Again, the DPIA should be carried out before starting the processing activities. That way, you can minimise risk to the data subject by implementing any remedial actions first, or even deciding against the processing activity altogether. You must consult the ICO (Information Commissioner’s Office) about risks that can’t be mitigated before starting the processing. The ICO also has excellent guidance on exactly when to carry out a DPIA.

It’s relevant for everyone, including retail and hospitality

All organisations are likely to come across a situation that legally requires a DPIA at some point. Retail and hospitality organisations will likely need to conduct several to cover all their processes, both new and existing. Your organisation may have huge amounts of customer data, based on their purchases or bookings. You can build a picture of their behaviour and may even process special category data, such as health data. Loyalty programmes, device tracking and CCTV are just a few examples of activities that will probably need a DPIA to ensure the risk to the privacy of customers’ personal information is justified and that plans are put in place to mitigate that risk.

Common activities for retail and hospitality requiring DPIAs

To give an idea of what activities may require a DPIA in real terms for the retail and hospitality sectors, here is a non-exhaustive list:

  1. CCTV
    Many shops, restaurants and hotels have CCTV in place for security, but as you’re capturing images of people’s faces (something that can identify an individual, and therefore deemed personal data), you’re processing their data without giving them a choice.
  2. Monitoring of employees’ activities
    Do you monitor what employees do on company computers? Perhaps track their start and finish times for shift work? Any system that tracks what employees are doing would be subject to a DPIA.
  3. Collection of public social media profiles
    For example, when a customer registers with their Facebook account in order to log in, collect points or gain access to an offer.
  4. Wi-Fi/Bluetooth/RFID tracking
    For example, if you replace traditional hotel key cards with RFID wristbands or key cards, a DPIA would be needed, as these not only give access to different hotel areas, but can also allow seamless purchases within the hotel or resort.
  5. Any processes to assess customers before contracts
    Such as credit checks resulting in possible denial of service.
  6. Access control/identity verification for hardware/applications
    Use of facial/voice recognition and fingerprints to govern access constitutes biometric data which is special category data, the processing of which would constitute a reason to conduct a DPIA.
  7. Online tracking by third parties
    Online advertising, data aggregation and data aggregation platforms would all require a DPIA.
  8. Processing using wearable smart technologies
    Using devices such as smart watches or glasses – either for employee benefit, such as ensuring individuals are working at appropriate exertion levels to avoid workplace injury during material handling, or for interreacting with customers to check stock-level information or upsell other products – would require a DPIA.
  9. Loyalty schemes
  10. Processing location data of employees
    Such as tracking their vehicle or mobile phones as part of their work.

What are my next steps?

If you’ve identified a process that could result in a risk to the rights and freedoms of data subjects, it’s time to conduct your DPIA.

Make the process easy with the DPIA Tool.

Speed up and simplify the DPIA process to ensure compliance with the GDPR. This software tool helps to determine if a DPIA is required, and standardises the procedure, documenting everything as you go. Identify risks and the impact they may have, and easily share your information.

Read more about the DPIA Tool>>

IT Governance offers a range of solutions to help you confidently undertake a DPIA, from software and toolkits to training and consultancy. Visit our website to find out more about the tools available, or email the team to discuss your specific needs.