The data protection impact assessment (DPIA) is a useful tool in helping organisations implement data processing systems that comply with the General Data protection Regulation (GDPR) and will be mandatory for some types of processing. Failure to conduct a DPIA, or correctly, or to consult a supervisory authority, where required, after having undertaken a DPIA, could all lead to penalties of up €10million or 2% of worldwide turnover, whichever is the higher.
The EU Article 29 Working Party (WP29) in its recently published draft guidelines seeks to clarify when DPIAs are necessary and how they should be applied. Summarised below are the key points from the guidelines:
Which processing operations are subject to a DPIA?
A DPIA is only mandatory where a processing is “likely to result in a high risk to the rights and freedoms of natural persons”. When determining whether processing is likely to result in high risk, the guidelines offer the following criteria to consider:
- Evaluation or scoring, including profiling
- Automated-decision making
- Systematic monitoring of individuals
- Processing sensitive data
- Data processed on a large scale
- Datasets that have been matched or combined
- Data concerning vulnerable data subjects
- Innovative use or applying technological or organisational solutions
- Data transfer across borders outside the European Union
- When the processing in itself ‘prevents data subjects from exercising a right or using a service or a contract’
The guidelines state that, as a rule of thumb, data processing operations that meet at least two of these criteria will require a DPIA.
How to carry out a DPIA?
The guidelines emphasize that a DPIA should be carried out prior to the processing and recommends taking a “privacy by design” approach – starting early and updating the DPIA throughout the lifecycle of the project – and treating the DPIA as a ‘continual process, not a one-time exercise’.
A DPIA may be done by someone else, but the organisation remains ultimately accountable for that task. This also applies when outsourcing the data processing to a service provider. An organisation must also seek the advice of the Data Protection Officer (DPO), where designated, and where appropriate, seek the views of data subjects regarding the processing.
The GDPR does not specify which DPIA process must be followed. There are a number of different established processes within the EU and the guidelines list some examples:
Kick-start your GDPR compliance project