Required under Article 35 UK GDPR where processing is likely to result in a high risk to data subjects. Mintstone has identified two processing activities that require a DPIA.
Why these DPIAs exist: The ICO requires a DPIA where processing involves (a) systematic and extensive profiling or automated decision-making, (b) large-scale processing of special category data, or (c) innovative use of new technologies. Mintstone's use of AI for transaction classification and document analysis, combined with Open Banking financial data, meets threshold (c). These DPIAs were completed before any customer data was processed.
Mintstone retrieves bank transactions from borrowers' accounts via TrueLayer (FCA-authorised Open Banking provider) to verify drawdown expenditure, monitor construction costs against budgets, and check loan covenant compliance. Transactions are automatically classified into spend categories using OpenAI's API (zero-retention) to match them against JCT budget line items.
Lawful basis: Article 6(1)(b) Contract (necessary for loan monitoring service) and Article 6(1)(c) Legal obligation (regulatory record-keeping).
| Risk | Likelihood | Severity | Overall | Mitigation |
|---|---|---|---|---|
| Unauthorised access to bank transaction data | Low | High | Medium | RBAC, AES-256 encryption at rest, TLS 1.3 in transit, MFA for admin access, SHA-256 audit trail |
| Data breach at sub-processor (TrueLayer, OpenAI) | Low | High | Medium | TrueLayer is FCA-authorised with regulated security standards; OpenAI zero-retention API (data not stored); DPAs with both; breach notification clauses ≤ 48 hours |
| AI misclassification leads to incorrect covenant assessment | Medium | Medium | Medium | All AI outputs presented to human users for review; confidence scores displayed; manual override available; no autonomous decisions |
| Excessive data collection beyond monitoring purpose | Low | Medium | Low | Only transaction data retrieved (no other banking products); account numbers excluded from AI API calls; 90-day consent expiry |
| Borrower unaware of transaction monitoring | Low | Medium | Low | Open Banking consent flow is explicit and FCA-regulated; monitoring disclosed in facility agreement; privacy notice provided to borrower by lender |
| International transfer risk (OpenAI, US) | Low | Medium | Low | Zero-retention API (data not persisted in US); EU SCCs in place; only transaction descriptions transferred (no PII); OpenAI DPA in place |
Residual risk is acceptable. The combination of FCA-regulated Open Banking consent, zero-retention AI processing, data minimisation, human review of all outputs, and robust encryption/access controls reduces risk to a level that does not require consultation with the ICO under Article 36. Processing may proceed.
Mintstone uses AI services (OpenAI, Anthropic) to extract and analyse structured data from construction documents uploaded by lender staff and contractors. Anthropic Claude handles primary OCR and invoice extraction; OpenAI GPT-4o provides fallback OCR and Vision-based text extraction. This includes invoices, QS reports, professional certificates, valuations, and site photographs.
Lawful basis: Article 6(1)(b) Contract (necessary for loan monitoring) and Article 6(1)(f) Legitimate interests (efficient document processing; see LIA).
| Risk | Likelihood | Severity | Overall | Mitigation |
|---|---|---|---|---|
| Unauthorised access to uploaded documents containing personal data | Low | High | Medium | S3 server-side encryption (AES-256); pre-signed URLs with time-limited access; RBAC; file type validation via magic-byte inspection and size limits; audit logging |
| AI sub-processor data breach (OpenAI, Anthropic) | Low | High | Medium | Both sub-processors operate under zero-retention agreements (no customer data stored or used for training); DPAs and EU SCCs in place with each; breach notification clauses |
| AI hallucination produces incorrect data extraction | Medium | Medium | Medium | All AI outputs presented to human users for review and correction; confidence indicators where available; manual override for all extracted fields; original document always available for comparison |
| Incidental processing of individuals in site photographs | Medium | Low | Low | Photos processed for construction progress only; no facial recognition or biometric processing; non-essential EXIF metadata stripped before storage (GPS+timestamp retained for verification); access restricted via RBAC |
| International transfer of document content to US-based AI processors | Medium | Medium | Medium | Zero-retention API agreements (data not persisted in US); EU SCCs with all processors; data minimisation (relevant sections only); DPAs in place |
| Contractor personal data (bank details, qualifications) exposed beyond intended purpose | Low | Medium | Low | Extracted data visible only to authorised lender users on that project; RBAC; no data shared externally; contractor bank details used only for transaction matching |
sharp before S3 storage (Article 5(1)(c) data minimisation)Residual risk is acceptable. The combination of zero-retention AI processing, data minimisation, mandatory human review of all outputs, encrypted storage, RBAC, and comprehensive audit logging reduces risk to a level that does not require consultation with the ICO under Article 36. Processing may proceed.
Related documents: Privacy Policy · Retention Schedule · Legitimate Interests Assessments · Data Processing Agreement · Trust & Security