Under the new european data protection regulation (GDPR), data controllers will not have to notify the Data Protection Authorities of their data processing activities any more. Instead, they will have to keep a details record of all the processing (see here for more details about the register) and where the data processing is likely to result in a high risk to the rights and freedom of the data subjects, data controllers will have to carry out Data Protection Impact Assessment (DPIA).
A data protection impact assessment (DPIA) is a process designed to describe the processing, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data
1.Who should carry out DPIA?
According to the GDPR provisions, it is up to the data controllers to perform a DPIA where their data processing activities require doing so.
DPIA should be carried out with the help of the Data Protection Officer (see here mission of DPO) where the data controller has appointed one and of the data processor if a data processor is involved in the concerned data processing.
2.What data processing is subject to DPIA?
2.1. According to the GDPR
Not any data processing is subject to a DPIA. According to article 35 of the GDPR, a DPIA is to be carried out when a data processing is likely to result in a high risk to the rights and freedoms of naturals persons and more particularly when using new technologies.
It shall be required in the case of:
- Systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling and on which decisions are based that produce legal effects or significantly affect the natural person (scoring etc.)
- Processing on a large sacale of special categories of data or relating to criminal convictions and offences
- Systematic monitoring of a publicly accessible area on a large scale
2.2. WP29 guidelines and criteria
The Data Protection Authorities of each Member State should published a list of the data processing subject to the DPIA. The list may vary from one country to another but the WP29 has recently published guideline providing criteria with regards to what data processing is concerned by DPIA.
As a rule of thumb – even though this does not replace the official list to be provided by the Data Protection Authorities – if a processing meets at least two of the criteria listed below, a DPIA should be carried out. This is not a strict rule since in some cases, a data processing meeting one criteria only could result in a high risk and therefore be subject to a DPIA while a data processing meeting more than 2 criteria would not result in such a risk.
In order to determine when a processing is likely to result in a high risk, the following criteria should be considered:
- Evaluation and scoring (performance at work, economic siutation, personal preference, location etc.)
- Automated decision making with legal or similar significant effect, especially if it leads to the exclusion or discimination against individuals (further explanations will be provided in the WP29 guileines on profiling).
- Systematic monitoring of data subject
- Sensitive data (see article 9 and 10 of the GDPR) : they should be processed systematically or on a large scale
- Data processed on a large scale (number of data subjects, volume of data, duration of processing activity, geographical extent)
- Data sets that have been matched or combined (in a way that would exceed the reasonable expectations of the data subject
- Data concerning vulnerable data subjects (increased power imbalance between the data subject and the data controller : employees, children, population requiring special protection (mentally ill, asylum seekers, elderly, patient …)
- Innovative use or applying technological or organisational solutions
- Data transfer outside the European Union : taking in consideration the third country, the possibility of onward transfers or likelihood of transfers based on derogation
- The processing may Prevents data subjects from exercising a right or using a service or a contract
3.Exemptions to the performance of a DPIA
A data processing may not be subject to a DPIA in the following cases
- It is not likely to result in a high risk to the rights and freedoms of natural persons
- The processing is very similar to a processing for which a DPIA have been carried out
- Processing operations has a legal basis in EU and a DPIA has been carried out as part of the adoption of that legal basis
- The processing is included in the optional list to be published by each Data Protection Authority (it might contain any compliance pack, general authorisation already given by the Authorities at national level).
- Data processing implemented before May 2018 if no change has been implemented or there is no change in the risk. (DPIA recommended).
4.Content and scope of the Data Protectdion Impact Assessment:
A single assessment may address a set of similar processing presenting the same kind of risks.
It is up to the Data controller to determine the structure and form of the DPIA, however, a DPIA should include the following information:
- Systematic description of the envisaged processing operations
- The purposes and where applicable the legitimate interest pursued by the controller / necessity and proportionality of the processing
- Assessment of the risks to the rights and freedoms of data subjects
- Measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR
In practice, a DPIA report should be made up of three parts:
- the context (description of the processing activities, the asset and the technologies used etc.)
- the legal control (checking the data processing is compliant with the privacy principles)
- Risk assessment (security control and residual risks)
Here are some link of existing EU DPIA frameworks:
DE: Standard Data Protection Model, V.1.0 – Trial version, 2016.
5.What if it is not possible to mitigate the risk (prior consultation)?
Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.
Moreover, a prior consultation may be required under Member States law where the controller carried out a data processing in the public interest including social protection and public health.
In practice, we could think that anyone who is not able to mitigate a high risk to the protection of personal data processed should not start carrying out the data processing. Therefore prior consultation should remain very rare outside the scope of specific legal requirement.
This post is also available in fr_FR.