Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR). Regulation (EU) 2016/679, repeals Directive 95/46/EC and expands on the protection of natural persons with regard to the processing of personal data and the free movement of such data.
The GDPR will come into force in May 2018 and will introduce new obligations for those who process personal data, among which the duty to carry out Data Protection Impact Assessments (DPIAs).
What is a data protection impact assessment (DPIA). The DPIA is regulated by Article 35, GDPR. The DPIA was introduced to help evaluate how a processing may impact the protection of personal data and the risks to the rights and freedoms of natural persons.
The DPIA is an auto-evaluation. Once the assessment is carried out the controller shall decide whether the processing is legitimate.
Who shall carry out the DPIA. The data controller, with the DPO and the data processor(s) shall carry out the DPIA.
Carrying out the DPIA may be done by someone inside or outside the organization, but it is the controller that remains ultimately accountable for the task, Article 35.2, GDPR.
Where appropriate, it is recommended to seek the advice from independent experts of different professions (lawyers, technicians, security experts, sociologists, ethics, etc.).
The roles and responsibilities of the processors must be contractually defined and it is good practice to define and document other specific roles and responsibilities, depending on internal policy, processes and rules.
What is the scope of application of the data protection impact assessment. A DPIA may address a single processing operation or a set of analogous processing operations which are similar in terms of risks presented, nature, scope, context and purposes of the processing.
For example, a railway operator (single controller) could cover video surveillance in all its train stations with one DPIA.
A DPIA can also be useful for assessing the data protection impact of a technology product, such as a software that could be used by different data controllers to carry out various processing operations. The data controller deploying the product will then be obliged to carry out its own DPIA with regard to the specific implementation.
The likelihood to result in a high risk
When the processing is “likely to result in a high risk to the rights and freedoms of natural persons”, the controller shall, prior to the processing, carry out a DPIA.
Article 35, GDPR, lists three instances in which a DPIA is required:
(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing (including profiling), and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
(b) processing on a large scale of special categories of data referred to in Article 9.1, GDPR, or of personal data relating to criminal convictions and offences referred to in Article 10; or
(c) a systematic monitoring of a publicly accessible area on a large scale.
WP29 singled out a longer list of instances with its Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (WP248), which include:
- evaluation or scoring;
- automated-decision making with legal or similar significant effect, Article 35.3(c), GDPR;
- systematic monitoring, Article 35.3(c), GDPR;
- sensitive data;
- data processed on a large scale;
- datasets that have been matched or combined;
- data concerning vulnerable data subjects, recital 75, GDPR;
- innovative use or applying technological or organisational solutions, Article 35.1 and recitals 89 and 91, GDPR;
- data transfer across borders outside the European Union, recital 116, GDPR;
- when the processing in itself “prevents data subjects from exercising a right or using a service or a contract”, Article 22 and recital 91, GDPR.
WP29 “two criteria rule”
According to WP29, as a rule of thumb, a processing operation meeting less than two criteria may not require a DPIA. To help in understanding when a DPIA is required, WP29 provided the following table.
|Examples of processing||Possible Relevant criteria||DPIA required?|
|A hospital processing its patients’ genetic and health data (hospital information system).||– Sensitive data
– Data concerning vulnerable data subjects
|The use of a camera system to monitor driving behavior on highways. The controller envisages to use an intelligent video analysis system to single out cars and automatically recognize license plates.||– Systematic monitoring
– Innovative use or applying technological or organizational solutions
|A company monitoring its employees’ activities, including the monitoring of the employees’ work station, internet activity, etc.||– Systematic monitoring
– Data concerning vulnerable data subjects
|The gathering of public social media profiles data to be used by private companies generating profiles for contact directories.||– Evaluation or storing
– Data processed on a large scale
|An online magazine using a mailing list to send a generic daily digest to its subscribers.||– (none)
|An e-commerce website displaying adverts for vintage car parts involving limited profiling based on past purchases behaviour on certain parts of its website.||– Evaluation or scoring, but not systematic or extensive
Data Protection Authority (DPA) guidance
DPAs have the duty to direct the controllers by publishing lists of the kind of processing operations for which DPIAs are required, or not. Article 35, GDPR.
The European Data Protection Board (EDPB) will aid in developing the DPIA’s guidelines and determining whether processing is “likely to result in a high risk”, taking over the work of WP29.
Also, after the controller carried out a DPIA, she shall consult with the DPA prior to processing where the assessment indicates that the processing would result in a high risk (Article 36.1, GDPR). In this case, the DPIA must be provided, Article 36.3(e), GDPR.
When to carry out a DPIA
The requirement to carry out a DPIA applies to processing operations meeting the criteria of Article 35, GDPR, and initiated after the GPDR becomes applicable on May 2018.
However, WP29 strongly recommends to carry out DPIAs also for those processing operations already underway prior to May 2018.
In addition, where necessary, “the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operation” (Article 35.11, GDPR).
According to WP29, DPIAs should be “continuously carried out on existing processing activities. However, it should be re-assessed after 3 years, perhaps sooner, depending on the nature of the processing and the rate of change in the processing operation and general circumstances.”
In general, the DPIA should be reviewed when there is a change of the risk presented by the processing operation, Article 35.11, GDPR. Risks can change as a result of a change to one of the components of the processing operation (data, supporting assets, risk sources, potential impacts, threats, etc.), because the context of the processing evolves (purpose, functionalities, etc.), or because the organizational or societal context for the processing activity has changed (for example because the effects of certain automated decisions have become more significant, new categories of natural persons become vulnerable to discrimination).
How to carry out a DPIA. There are different methodologies to carry but a DPIA. However, whatever its form, a DPIA must be a “genuine assessment of risks, allowing controllers to take measures to address them.”
The DPIA is a tool for managing risks to the rights of the data subjects, and thus takes their perspective, like it is done in certain fields (e.g. societal security), whereas risk management in some other fields (e.g. information security) is focused on the organization. A “risk” is a scenario describing an event and its consequences, estimated in terms of severity and likelihood. Article 35, GDPR, refers to a likely high risk “to the rights and freedoms of individuals”. As indicated by WP29’s Statement 14/EN WP 218, the reference to “the rights and freedoms” of the data subjects primarily concerns the right to privacy but may also involve other fundamental rights such as freedom of speech, freedom of thought, freedom of movement, prohibition of discrimination, right to liberty, conscience and religion.
The GDPR sets out a broad, generic framework for designing a DPIA. Article 35.7, and recitals 84 and 90, GDPR, provide for:
– “a description of the envisaged processing operations and the purposes of the processing”;
– “an assessment of the necessity and proportionality of the processing”;
– “an assessment of the risks to the rights and freedoms of data subjects”;
– “the measures envisaged to:
– “address the risks”;
– “demonstrate compliance with this Regulation”.
WP29 proposes a set of criteria which data controllers can use to assess whether or not a DPIA, or a methodology to carry out a DPIA, is sufficiently comprehensive to comply with the GDPR (Annex 2, WP248).
The accountability principle
As mentioned, carrying out a DPIA is not mandatory for every processing operation. However, the principle of accountability requires controller to be able to demonstrate compliance with her duties under the GDPR (Article 5.2, GDPR). WP29 explains that the “DPIA is a process for building and demonstrating compliance.” The data controller “shall maintain a record of processing activities under its responsibility” including inter alia the purposes of processing, a description of the categories of data and recipients of the data and, where possible, a general description of the technical and organizational security measures implemented to ensure an appropriate level of security, even if the data controller decides that a DPIA is not necessary, Articles 30.1 and 32.1, GDPR.
Publishing a DPIA is not a legal requirement of the GDPR. However, data controllers should consider publishing their DPIA, or perhaps part of the documents to demonstrate accountability and transparency.
According to Article 83.4, GDPR, infringements of Article 35, GDPR, is subject to administrative fines up to 10M€, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Failure to carry out a DPIA when the processing is subject to a DPIA, Article 35.1 and 3, GDPR, carrying out a DPIA in an incorrect way, Article 35.2, 7 and 9, GDPR, or failing to consult the competent supervisory authority where required Article 36.3(e), GDPR, can each result in the mentioned administrative fine.