This series provides more detailed insight into the General Data Protection Regulation, which was published on 4 May 2016 and must be complied with by 25 May 2018.
This issue focuses on the data protection impact assessment ("DPIA"). The DPIA is a tool to demonstrate compliance with the GDPR, used by data controllers to assess the risks to data subjects posed by certain processing activities.
The Article 29 Working Party has already issued useful draft guidelines ("Article 29 WP Guidance") in this regard, and the Belgian Privacy Commission recently organized a public consultation on its DPIA recommendations, which closed on 28 February 2017 (available in French and Dutch).
When is a DPIA required?
When a processing activity uses new technologies and, taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, assess the impact of the proposed processing on the protection of personal data.
A single assessment may address a set of similar processing activities that present similar high risks.
The GDPR lists a number of situations in which a DPIA is required, including the following:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning these natural persons or similarly significantly affect them;
- large-scale processing of sensitive data; and
- large-scale, systematic monitoring of a publicly accessible area.
In addition, the national supervisory authorities must establish a list of processing activities for which a DPIA is required. The Belgian Privacy Commission's draft recommendations contain such a list including among other things the following processing activities:
- the processing of biometric data;
- the processing of genetic data;
- the assessment of personal characteristics to analyse or predict professional achievements, economical situations, health, personal interests, etc.
- large-scale profiling.
In order to comply with the DPIA requirement, controllers must first perform an initial assessment of each processing activity in order to verify whether it could result in a high risk to data subjects. If so, the controller must carry out a DPIA.
The Article 29 WP Guidance stipulates criteria to assess the risk posed by processing activities.
When is a DPIA not required?
A DPIA is not required in the following cases:
- the processing is not likely to result in a high risk to the rights and freedoms of natural persons;
- the nature, scope, context and purposes of the processing are very similar to a processing activity for which a DPIA has already been carried out;
- there is a legal basis for the processing in EU or Member State law and it is expressly stated that a DPIA need not be carried out;
- there is a legal basis for the processing in EU or Member State law and a DPIA has already been carried out in order to establish that legal basis;
- the processing activity is included on the optional list established by a national supervisory authority of processing activities for which no DPIA is required.
Is a DPIA required for processing activities already in progress?
A DPIA is required for processing activities that meet the relevant criteria and are initiated after the GDPR enters into effect on 25 May 2018. In other words, a DPIA is required only for processing activities that begin after 25 May 2018.
However, if processing activities in progress are significantly changed after 25 May 2018, a DPIA will be required.
A DPIA must contain at least the following information:
- a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects; and
- the measures proposed to address these risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned.
Controllers are free to choose the methodology they wish to use to perform a DPIA. However, the Article 29 WP Guidance contains a list of criteria (Annex 2) which this methodology must meet in order to comply with the GDPR.
Parties involved in a DPIA
The data controller, further to the advice of its data protection officer, if any, is responsible for carrying out the DPIA. However, if a data processor is involved in the processing, the processor should assist the controller in performing the DPIA.
The controller must consult the data subjects or their representatives, where appropriate. Unfortunately, the GDPR does not indicate under which circumstances it is appropriate to do so.
The Article 29 WP Guidance contains further recommendations on this subject.
Consultation of the supervisory authority
Where a DPIA indicates a high risk in the absence of measures taken by the controller, the controller must consult the competent supervisory (i.e. data protection) authority prior to the processing.
The available guidance specifies that consultation is only required in case of a high residual risk, ie the risk that remains after the relevant measures and controls have been put in place. However, this seems to conflict with the wording of the GDPR which rather refers to the inherent (or gross) risk, being the level of risk if no measures or controls are put in place. Hopefully this will be clarified in the near future.
A DPIA is not a one-off procedure but rather a continuous effort and must be revisited in the event of changing circumstances and risks and in any case every few years.
Publication of the DPIA
The GDPR does not require that a DPIA be published. Nevertheless, the Article 29 Working Party encourages controllers to do so as this can help foster trust in the controller's processing activities and demonstrate accountability and transparency.
- A DPIA is required for processing operations which are likely to result in a high risk to the rights and freedoms of natural persons.
- A DPIA is required for processing activities that meet the relevant criteria and are initiated after the GDPR enters into effect on 25 May 2018.
- National supervisory authorities are obliged to draw up a list of processing operations for which a DPIA is required.
- The obligation to perform a DPIA is borne by the controller who should seek the assistance of its DPO, if any.
- If a data processor is involved in the processing activity, it should assist the controller with the DPIA.
- Where appropriate, the data controller should consult with the data subjects or their representatives.
- Data controllers are free to choose the methodology for a DPIA, provided it meets certain minimum requirements.
- If it appears from a DPIA that the risks to the rights and freedoms of data subjects are high in the absence of measures taken to mitigate the risk, the data controller must inform the competent supervisory authority.
- Put in place procedures to perform a pre-DPIA analysis for each processing operation.
- Fit the DPIA into your existing risk assessment procedures, if any, or put in place a separate DPIA procedure.
- Document both pre-DPIA analyses and the DPIA itself.
- Regularly review your DPIAs.