On 6 July 2020, the European Data Protection Supervisor (EDPS) published a report on the use of data protection impact assessments (DPIAs) within EU institutions.
This report, based on replies by 39 EU institutions, bodies and agencies (EUIs), appears to be the first comparative study of various DPIAs (17 finalised DPIAs reviewed) and of the reasons for carrying out or not carrying out a DPIA.
What is a DPIA, and why should you care?
Under the GDPR (and Regulation 2018/1725, the GDPR for EU institutions), when contemplating any "high risk" processing activity, a controller must carry out a data protection impact assessment or DPIA.
A DPIA is supposed to contain at least:
- a "systematic description" of the contemplated processing operations (including purposes and legal grounds);
- an "assessment of the necessity and proportionality of the processing operations in relation to the purposes";
- an assessment of the "risks to the rights and freedoms of data subjects"; and
- a description of contemplated mitigation measures to address those risks.
Where a DPIA is required, failure to carry one out is an infringement of the GDPR and could lead to administrative fines (as has for instance been the case in Finland).
What is "high risk"? When is a DPIA required?
For non-EUIs, guidance from the European Data Protection Board (EDPB) is relevant in determining what is "high risk". To quote an earlier newsletter on the topic:
The concept of "high risk" gave rise to the publication by a pan-EU group of supervisory authorities (the Article 29 Working Party or WP29) of guidance on DPIAs, with 9 criteria that enable controllers to determine whether their processing activities are "high risk" or not. This WP29 guidance was later confirmed by the WP29's successor, the European Data Protection Board (EDPB). The rule of thumb with the WP29 guidance was that if 2 criteria or more are met, the processing is automatically "high risk". According to that same guidance, processing activities started before 25 May 2018 (the date on which the GDPR became applicable) meeting those WP29 DPIA criteria do not require a DPIA, unless there is any change to the risks since then.
In Belgium, the BDPA adopted its own list of 8 scenarios in which a DPIA is automatically required (with many of these scenarios combining two or more of the WP29 DPIA criteria in practice).
Such lists exist in Luxembourg and in the Netherlands (as well as other EU countries), but with noticeable differences from country to country.
For EUIs, the EDPS essentially copied the 9 EDPB criteria (see in particular Annex 1).
However, even meeting these criteria does not necessarily mean a DPIA is required. Indeed, according to regulatory guidance, a DPIA is not required for processing activities that have remained unchanged since before the new rules (the GDPR for non-EUIs; Regulation 2018/1725 for EUIs) became applicable.
In practice, the EDPS noted that over the course of nearly two years, only 4 out of the 39 EUIs had finalised more than two DPIAs – perhaps an indication that few processing activities had actually changed.
Which methodologies are used?
Several methodologies have been developed over the past few years to help organisations in carrying out DPIAs, notably by the EDPS itself, the UK's ICO, the French CNIL, the EDPB etc.
In its survey, the EDPS found that the largest number of EUIs developed their methodologies based on the methodology of the EDPS, followed by those of the ICO and the CNIL. Others appear to have had less of an influence, although the EDPS states that "Some EUIs have combined several externally developed methodologies to best suit their specific needs", an approach that we have seen with several non-EUI organisations.
In other words, if you hear your peers or competitors praise the DPIA tool of any given regulator or external service provider, do not worry if you do not use it, as EUIs themselves do not use a common methodology or tool either. Instead, focus on finding – or creating – the methodology that best suits your needs.
What are the other key findings?
While its focus lies in presenting the findings of the survey, the EDPS report includes statements that are easily translated into dos and don'ts:
1) Don't limit yourself to a short assessment: The EPDS states in its report that "given the comprehensive analysis and the weighing of different risks needed to produce a meaningful DPIA, a five page solution would at any rate seem to be less than required". It is worth stressing here that DPIAs are needed for high-risk processing scenarios, and the purpose of the DPIA is to help determine whether the mitigation measures sufficiently address the risks to data subject rights that have been identified. In this context, the EDPS's suggestion that five pages might be "less than required" is understandable, but we consider that it must still be viewed in relative terms. A well thought-out 4-page DPIA is not necessarily worse than a hastily assembled 20-page DPIA – instead, the focus should lie on whether the assessment was given the necessary attention.
2) Examine the impact on key rights: According to the EDPS, "all rights and freedoms of these data subjects that are potentially at stake should be listed - and mitigating measures should be based on these considerations". This position seems a little extreme, as it is difficult to see how organisations could be criticised for not examining all possible risks. However, the EDPS includes at the end of its report (in its annex 2(2)) a list of key rights to examine (e.g. non-discrimination, human dignity, data protection etc.). Explicitly including these rights in an organisation's template DPIA form can help improve its quality.
3) If you don't carry out a DPIA, document your reasons: In cases where this is not done, the EDPS notes that "important considerations leading to the conclusion not to conduct a DPIA will remain undocumented", which the EDPS calls "regrettable". It is likely that national supervisory authorities share this point of view.
4) Avoid box-ticking exercises: the EDPS found many institutions using "yes/no" forms were failing to properly justify their choices (in particular regarding choice whether to carry out a DPIA). This comment is related to the points above on "short assessments" and documenting reasons. Whether they work with a Word- or Excel-type of DPIA form, with open text fields or "yes/no" standard responses, it is crucial that organisations take the time to explain their assessment so that the supervisory authority is able to understand their reasoning.
It may not always be easy to abide by these recommendations when starting a new project. However, we have found that organisations that embed a DPIA stage into the design phase of any initiative are in a strong position to demonstrate compliance with principles such as data protection by design and accountability. Sometimes it is just a matter of finding the right questions to ask – and the right allocation of tasks.
The EDPS report is available online.