Under the General Gata Protection Regulation (GDPR), controllers must:
- Keep a record of their processing activities (see here for more details); and
- Carry out a Data Protection Impact Assessment (DPIA) where the data processing is likely to result in a high risk to the rights and freedoms of the data subjects.
A DPIA is a process designed to (i) describe the processing, (ii) assess its necessity and proportionality and (iii) manage the risks to the individuals’ rights and freedoms resulting from thereof.
Controllers should be able to identify any of their processing operations subject to a DPIA as well as to know when and how to conduct one.
1. Who should carry out a DPIA and when to do it?
The GDPR requires controllers to perform a DPIA when its processing operations may result in a high risk to the rights and freedoms of the data subjects.
It must do so before starting processing the personal data for the envisaged purposes.
Furthermore, a DPIA should be carried out with the help of the Data Protection Officer (see here the duties of the DPO) if any and, any relevant processor(s).
2. What are the data processing operations subject to a DPIA?
Under article 35 GDPR, controllers must carry out a DPIA when they intend to process data in a way that is likely to result in a high risk to the rights and freedoms of natural persons, in particular, when the controllers resort to new technologies.
A DPIA is, therefore, required where the envisaged data processing activities entails:
- the systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects or significantly affect the natural person (e.g. scoring etc.);
- the processing on a large scale of special categories of data or relating to criminal convictions and offences;
- the systematic monitoring of a publicly accessible area on a large scale.
3. How to identify the data processing operations likely to result in a high risk?
Each Data Protection Authority has released or will release a list of the data processing subject to a DPIA (see the list published in the EDPB register here). However, these lists are not exhaustive and their content is different from one member state to another.
Besides, the EDPB published guidelines and provided criteria helping to determine the types of data processing likely to be subject to a DPIA.
As a rule of thumb, if a data processing meets, at least, two of the criteria listed below, a DPIA is necessary. However, this is only guidelines and to the extent, a data processing activity is likely to result in a high risk, controllers should carry out a DPIA regardless of the number of criteria the processing activity satisfies.
This being said, the nine criteria identified by the authorities are as follows:
- Evaluation and scoring (performance at work, economic situation, personal preference, location etc.);
- Automated decision making with legal effects or similarly; significantly affects the data subject, especially, if it leads to the exclusion or discrimination against individuals (further explanations will be provided in the EDPB guidelines on profiling);
- Systematic monitoring of data subject;
- Sensitive data (see article 9 and 10 of the GDPR) more particularly where processed systematically or on a large scale;
- Data processed on a large scale (number of data subjects, the volume of data, duration of the processing activity, geographical extent);
- Data sets that have been matched or combined in a way that would exceed the reasonable expectations of the data subject;
- Data concerning vulnerable data subjects (i.e. cases where there is an increased power imbalance between the data subject and the controller. For example, it concerns employees, children, population requiring special protection such as mentally ill, asylum seekers, elderly, patient …);
- Innovative use or application of technological or organisational solutions;
- Data transfer outside the European Union, taking into consideration the third country, the possibility of onward transfers or likelihood of transfers based on a derogation;
- The processing may prevent data subjects from exercising a right or using a service or a contract.
4. Exemptions to the performance of a DPIA
Data processing may not be subject to a DPIA in the following cases:
- It is not likely to result in a high risk to the rights and freedoms of natural persons;
- The data processing is very similar to another processing for which a DPIA has been carried out;
- Processing operations has a legal basis in EU and a DPIA has been carried out as part of the adoption of that legal basis;
- The processing is part of the whitelist each Data Protection Authority should publish (it may include compliance pack or general authorisation already given by the Authorities at the national level);
- Data processing implemented before May 2018 to the extent there is no change in the processing operations or the risk. A DPIA is however recommended.
5. Content and scope of a DPIA
5.1. In theory, Controllers determine the structure and form of the DPIA and may carry out a single assessment to address a set of similar processing presenting the same kind of risks.
However, a DPIA must, at least, include the following information:
- Systematic description of the envisaged processing operations;
- The purposes and where applicable the legitimate interest pursued by the controller, the necessity and proportionality of the processing;
- Assessment of the risks to the rights and freedoms of data subjects;
- Measures addressing the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR.
In practice, a DPIA report should be made up of three parts:
- the context (description of the processing activities, the asset and the technologies used etc.);
- the legal control (checking the data processing operations are compliant with the data protection principles);
- the risk assessment (security control and residual risks).
Here are some links to existing EU DPIA frameworks:
DE: Standard Data Protection Model, V.1.0 – Trial version, 2016.
FR: Privacy Impact Assessment (PIA), Commission nationale de l’informatique et des libertés (CNIL), 2015 and a link to the DPIA software provided by the CNIL.
6. How to conduct a DPIA?
As stated above, a DPIA report is made up of three sections (i.e. context, legal control and risk assessment).
The context should contain the details of the envisaged processing operations such as the identity of the controller(s), the type of data processed, the data retention period, the technologies used, the reason and purposes of the processing operations, the data recipients, the source(s) of data, the information notice etc..
This section will help carry out the legal and security review.
The legal control aims to ensure that the processing operations comply with the data protection principles (e.g. transparency, proportionality etc.) except for security, which is addressed in the risk assessment section. The controllers should address any issues identified at this stage as the authorities would not accept any derogations
The risk assessment must show that:
– The controller has identified any threats to the rights and freedoms of individuals;
– It has assessed the level of risk (e.g. likelihood of occurrence, likely consequences); and
– It has mitigated the risks by implementing appropriate security measures.
The DPIA is finalised when the processing operations comply with the data protection principles and no longer result in a high risk to the rights and freedoms of individuals.
7. What to do if it is not possible to sufficiently mitigate the risks (prior consultation)?
Where the controller cannot mitigate the risk with appropriate measures, it should consult the supervisory authority before starting processing.
Furthermore, Member States law may require a prior consultation where the controller carried out data processing in the public interest including social protection and public health.
In practice, we believe that any controller who cannot mitigate a high risk to the protection of personal data should not start the processing operations. Therefore, the controller should consult the authorities under limited circumstances such as when it is explicitly required by law, it must carry out the processing operations anyway (e.g. because of exceptional circumstances or a legal requirement) and/or these operations involve the use of new technologies.
For any question, do not hesitate to contact Arnaud Blanc, French and UK qualified lawyer based in France.