Under the new european general data protection regulation (GDPR), controllers no longer have to notify the Data Protection Authorities of their data processing activities. Instead, they must keep a record of their processing activities (see here for more details about the register) and where the data processing is likely to result in a high risk to the rights and freedoms of the data subjects, controllers will have to carry out Data Protection Impact Assessment (DPIA).
A DPIA is a process designed to describe the processing, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data.
1. Who should carry out DPIA?
According to the GDPR provisions, it is for the controllers to perform a DPIA where required.
DPIA should be carried out with the help of the Data Protection Officer (see here duties of DPO) where a DPO has been appointed and of any relevant processor(s).
2. What data processing is subject to a DPIA?
2.1. According to the GDPR
Not any data processing is subject to a DPIA. According to article 35 of the GDPR, a DPIA is to be carried out when a data processing is likely to result in a high risk to the rights and freedoms of naturals persons and more particularly when using new technologies.
It shall be required in the case of:
- Systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects or significantly affect the natural person (e.g. scoring etc.)
- Processing on a large scale of special categories of data or relating to criminal convictions and offences
- Systematic monitoring of a publicly accessible area on a large scale
2.2. EDPB guidelines and criteria
The Data Protection Authorities of each Member State should release a list of the data processing subject to the DPIA. The list may vary from one country to another but the WP29 has recently published guideline providing criteria with regards to what data processing is concerned by DPIA.
As a rule of thumb – even though this does not replace the official list to be provided by the Data Protection Authorities – if a data processing meets at least two of the criteria listed below, a DPIA should be carried out. This is not a strict rule since in some cases, a data processing meeting one criteria only could result in a high risk and therefore be subject to a DPIA while a data processing meeting more than 2 criteria would not result in such a risk.
In order to determine when processing is likely to result in a high risk, the following criteria should be considered:
- Evaluation and scoring (performance at work, economic situation, personal preference, location etc.)
- Automated decision making with legal effects or similarly significantly affects the data subject, especially, if it leads to the exclusion or discrimination against individuals (further explanations will be provided in the EDPB guidelines on profiling).
- Systematic monitoring of data subject
- Sensitive data (see article 9 and 10 of the GDPR): they should be processed systematically or on a large scale
- Data processed on a large scale (number of data subjects, the volume of data, duration of the processing activity, geographical extent)
- Data sets that have been matched or combined (in a way that would exceed the reasonable expectations of the data subject
- Data concerning vulnerable data subjects (increased power imbalance between the data subject and the controller: employees, children, population requiring special protection (mentally ill, asylum seekers, elderly, patient …)
- Innovative use or applying technological or organisational solutions
- Data transfer outside the European Union : taking into consideration the third country, the possibility of onward transfers or likelihood of transfers based on a derogation
- The processing may Prevents data subjects from exercising a right or using a service or a contract
3.Exemptions to the performance of a DPIA
A data processing may not be subject to a DPIA in the following cases:
- It is not likely to result in a high risk to the rights and freedoms of natural persons
- The data processing is very similar to another processing for which a DPIA has been carried out
- Processing operations has a legal basis in EU and a DPIA has been carried out as part of the adoption of that legal basis
- The processing is included in the optional list to be published by each Data Protection Authority (it may include compliance pack or general authorisation already given by the Authorities at national level).
- Data processing implemented before May 2018 if no change has been implemented or there is no change in the risk. (DPIA recommended).
4.Content and scope of a Data Protection Impact Assessment:
A single assessment may address a set of similar processing presenting the same kind of risks.
It is for the controller to determine the structure and form of the DPIA, though, a DPIA should include the following information:
- Systematic description of the envisaged processing operations
- The purposes and where applicable the legitimate interest pursued by the controller / necessity and proportionality of the processing
- Assessment of the risks to the rights and freedoms of data subjects
- Measures addressing the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR
In practice, a DPIA report should be made up of three parts:
- the context (description of the processing activities, the asset and the technologies used etc.)
- the legal control (checking the data processing is compliant with the privacy principles)
- Risk assessment (security control and residual risks)
Here are some link to existing EU DPIA frameworks:
DE: Standard Data Protection Model, V.1.0 – Trial version, 2016.
5.What if it is not possible to mitigate the risk (prior consultation)?
Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.
Moreover, a prior consultation may be required under Member States law where the controller carried out data processing in the public interest including social protection and public health.
In practice, we could think that anyone who is not able to mitigate a high risk to the protection of personal data processed should not start carrying out the data processing. Therefore prior consultation should remain very limited outside the scope of specific legal requirement.