Under the general data protection regulation (GDPR), controllers no longer have to notify the Data Protection Authorities of their data processing activities. Instead, they must:
– keep a record of their processing activities (see here for more details about the register); and
– carry out Data Protection Impact Assessment (DPIA) where the data processing is likely to result in a high risk to the rights and freedoms of the data subjects,
A DPIA is a process designed to describe the processing, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data.
1. Who should carry out a DPIA?
According to the GDPR provisions, it is for the controllers to perform a DPIA where required.
DPIA should be carried out with the help of the Data Protection Officer (see here the duties of the DPO) where a DPO has been appointed and of any relevant processor(s).
2. What data processing is subject to a DPIA?
2.1. According to the GDPR
Not all data processing is subject to a DPIA. According to article 35 GDPR, a DPIA is to be carried out when a data processing is likely to result in a high risk to the rights and freedoms of natural persons and in particular, when using new technologies.
It shall be required in the case of:
- Systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects or significantly affect the natural person (e.g. scoring etc.)
- Processing on a large scale of special categories of data or relating to criminal convictions and offences
- Systematic monitoring of a publicly accessible area on a large scale
2.2. EDPB guidelines and criteria
The Data Protection Authorities of each Member State should release a list of the data processing subject to the DPIA (you can find the published list in the EDPB register here). The list may vary from one country to another and are not meant to be exhaustive.
Therefore, the EDPB published guideline providing criteria helping to work out the type of data processing that should be subject to a DPIA.
As a rule of thumb if a data processing meets at least two of these criteria as listed below, a DPIA should be carried out. It should however by born in mind that this does not constitute a strict rule as, in some cases, a data processing meeting only one of these criteria could be deemed as resulting in a high risk for data subjects while a data processing meeting more than 2 criteria would not result in such a risk.
In order to determine when processing is likely to result in a high risk, the processing should meet at least two of the following criteria:
- Evaluation and scoring (performance at work, economic situation, personal preference, location etc.)
- Automated decision making with legal effects or similarly significantly affects the data subject, especially, if it leads to the exclusion or discrimination against individuals (further explanations will be provided in the EDPB guidelines on profiling).
- Systematic monitoring of data subject
- Sensitive data (see article 9 and 10 of the GDPR): they should be processed systematically or on a large scale
- Data processed on a large scale (number of data subjects, the volume of data, duration of the processing activity, geographical extent)
- Data sets that have been matched or combined (in a way that would exceed the reasonable expectations of the data subject
- Data concerning vulnerable data subjects (increased power imbalance between the data subject and the controller: employees, children, population requiring special protection (mentally ill, asylum seekers, elderly, patient …)
- Innovative use or applying technological or organisational solutions
- Data transfer outside the European Union: taking into consideration the third country, the possibility of onward transfers or likelihood of transfers based on a derogation
- The processing may Prevents data subjects from exercising a right or using a service or a contract
3.Exemptions to the performance of a DPIA
A data processing may not be subject to a DPIA in the following cases:
- It is not likely to result in a high risk to the rights and freedoms of natural persons;
- The data processing is very similar to another processing for which a DPIA has been carried out;
- Processing operations has a legal basis in EU and a DPIA has been carried out as part of the adoption of that legal basis
- The processing is part of the whitelist to be published by each Data Protection Authority (it may include compliance pack or general authorisation already given by the Authorities at national level).
- Data processing implemented before May 2018 if no change has been implemented or there is no change in the risk. (DPIA recommended).
4.Content and scope of a Data Protection Impact Assessment:
A stated above, controllers may carry out a single assessment to address a set of similar processing presenting the same kind of risks.
It is also for controllers to determine the structure and form of the DPIA, though, a DPIA should include the following information:
- Systematic description of the envisaged processing operations
- The purposes and where applicable the legitimate interest pursued by the controller / necessity and proportionality of the processing
- Assessment of the risks to the rights and freedoms of data subjects
- Measures addressing the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR
In practice, a DPIA report should be made up of three parts:
- the context (description of the processing activities, the asset and the technologies used etc.)
- the legal control (checking the data processing is compliant with the privacy principles)
- Risk assessment (security control and residual risks)
Here are some link to existing EU DPIA frameworks:
DE: Standard Data Protection Model, V.1.0 – Trial version, 2016.
FR: Privacy Impact Assessment (PIA), Commission nationale de l’informatique et des libertés (CNIL), 2015 and a link to the DPIA software provided by the CNIL.
5.What if it is not possible to mitigate the risk (prior consultation)?
Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.
Moreover, a prior consultation may be required under Member States law where the controller carried out data processing in the public interest including social protection and public health.
In practice, we could think that anyone who is not able to mitigate a high risk to the protection of personal data processed should not start carrying out the data processing. Therefore prior consultation should remain very limited outside the scope of specific legal requirement and/or the use of new technologies.