The Article 29 Working Party (WP29) has proposed guidelines to help organisations identify when it is necessary to carry out a Data Protection Impact Assessment (DPIA) and how to do so. The guidelines are open to public comment until 23 May 2017. DPIAs involve evaluating the potential impact that a new project will have on the privacy of individuals, and identifying ways to mitigate or avoid any adverse effects in advance of processing. The GDPR requires DPIAs to be carried out when processing is likely to result in a “high risk” to the rights and freedoms of natural persons.
What does a DPIA address?
The guidelines note that a DPIA may concern a single data processing operation, or multiple processing operations that are similar in terms of the risks arising, considering the nature, scope, context, and purposes of the processing. For example, the guidelines note that a railway operator (a single controller) could carry out one DPIA in respect of video surveillance occurring in all its train stations. Where the processing operation involves joint controllers, the DPIA should clearly set out their respective responsibilities to address any privacy risks.
When is a DPIA mandatory?
A DPIA is mandatory when processing is “likely to result in a high risk“. The guidelines set out the following criteria for data controllers to consider when assessing whether their processing operations may be “high risk”:
Does the processing involve evaluation or scoring, including profiling and predicting? – For example, a bank screening customers against a credit reference database, or building behavioural or marketing profiles based on usage or navigation on its website.
Does the processing involve automated-decision making that produces significant legal or similar effect on data subjects? – For example, carrying out processing that may lead to the exclusion or discrimination against individuals.
Are you performing systematic processing to observe, monitor or control data subjects, including in a publicly accessible area?
Are you processing of sensitive data or data relating to criminal convictions/offences? Or processing other data which may be considered as increasing the risk to individuals’ rights such as location data or financial data?
Are you processing data on a large scale? The following factors should be considered in determining whether processing is large-scale: (a) the number of data subjects involved; (b) the volume of data and/or range of different data items being processed; (c) the duration, or permanence of the data processing activity; (d) the geographical extent of the processing.
Do you match or combine datasets?
Do you process data concerning vulnerable data subjects? This processing of this type of data may require a DPIA because of the power imbalance between the data subject and the data controller, e.g. employee data, children’s data.
Do you make innovative use or apply technological or organisational solutions to data? – For example, combining use of finger-print and face-recognition data for improved physical access control etc. Use of a new technology may trigger the need to carry out a DPIA.
Do you transfer data outside the EEA?
Does the processing itself prevent data subjects from exercising a right or using a service or a contract? – For example, a bank screening customers against a credit reference database in order to decide whether to offer them a loan.
The guidelines provide that as a rule of thumb, a processing operation meeting less than two criteria may not require a DPIA, and processing operations meeting at least two of the criteria will require a DPIA. For example, according to the criteria, a company monitoring employees’ activities (e.g. their internet activity) should carry out a DPIA, as they are carrying out both ‘systematic monitoring’ and processing ‘data concerning vulnerable data subjects’. However, a processing operation meeting only one of these criteria may require a DPIA depending on the circumstances.
The GDPR requires supervisory authorities to publish and communicate a list of the kind of processing operations that require a DPIA to the European Data Protection Board (EDPB). The guidelines note that the criteria set out above can help authorities to constitute such a list.
When is a DPIA not required?
The guidelines note that a DPIA is not required where:
The processing is not likely to result in a high risk;
The processing operation is very similar to another operation for which a DPIA has already been carried out;
The processing has a legal basis in national or EU law; or
The processing is included on the optional list, established by the supervisory authority, of processing operations for which no DPIA is required.
The requirement to carry out a DPIA applies to processing operations initiated after 25 May 2018. However, the WP29 strongly recommends carrying out DPIAs for processing operations already underway prior to May 2018, that are still in progress at that date, particularly where there is a significant change to the processing operation after May 2018.
How to carry out a DPIA?
The DPIA should be carried out prior to the processing, in line with the data protection by design and by default principles. The controller is ultimately responsible for ensuring that the DPIA is carried out, but the DPIA may be carried out by someone else, inside or outside of the organisation. The controller must also seek the advice of the Data Protection Officer (DPO), where designated, and this advice, along with the decisions taken, should be documented within the DPIA. Where the processing is performed in whole or in part by a data processor, then that processor should assist the controller in carrying out the DPIA and provide any necessary information. Where appropriate, the controller is required to seek the view of data subjects. It must document its justification for not seeking the views of data subjects, if it decides that this is not appropriate. However the guidelines do not clarify when it is appropriate for a controller to seek data subjects’ views.
The GDPR sets out the minimum features of a DPIA, including:
A description of the proposed processing operations and the purposes of the processing;
An assessment of the necessity and proportionality of the processing;
An assessment of the risks to data subjects; and
The measures proposed to address the risks and to demonstrate compliance with the GDPR.
The GDPR provides controllers with flexibility to determine the precise structure and form of the DPIA. Annex 1 of the guidelines usefully sets out examples of existing EU DPIA frameworks, in Germany, Spain, France and the UK. Annex 2 further sets out criteria for an acceptable DPIA. The WP29 encourages the development of sector-specific DPIA frameworks, so that the DPIA can address the issues that arise in a particular economic sector, or when using particular technologies.
Publishing a DPIA is not a legal requirement of the GDPR, and is at the controller’s discretion. However, the WP29 encourages the publication of DPIAs, as such a process would help foster trust in the controller’s processing operations, and demonstrate accountability and transparency.
When must the supervisory authority be consulted?
A controller must consult the supervisory authority where the identified risks cannot be sufficiently addressed (i.e. the residual risks remain high). Controllers must also consult the supervisory authority when Member State law requires consultation for the performance of a task carried out by the controller in the public interest, including processing in relation to social protection and public health.
The guidelines will help data controllers to determine whether their processing operations are “high risk” and thus whether a DPIA is required. Failure to conduct a DPIA, or to consult a supervisory authority, where required, could result in a penalty of up to €10 million or 2% of annual worldwide turnover. However, regardless of whether a DPIA is mandatory, it would be prudent for businesses to carry out a DPIA as part of any new project involving personal data to ensure, and demonstrate, compliance with the GDPR.