WP29 publishes Guidelines on Data Protection Impact Assessment

Date 04/20/2017.

In its plenary meeting held in April 2017, Working Party 29 (WP29) examined certain critical matters regarding the implementation of Regulation 2016/679, the s.c. General Data Protection Regulation (GDPR).

Among other documents, WP29 also adopted Guidelines on Data Protection Impact Assessment (DPIA), wp248,  which will be open for public consultation for 6 weeks before their final adoption.

Data controllers should see the carrying out of a DPIA as a useful and positive activity that aids legal compliance with data protection laws.

DPIAs are mandatory when processing is “likely to result in a high risk” for the purposes of the GDPR. Article 35, GDPR.

The DPAs say that the following processing situations are likely to present this kind of risk:

  1. Evaluation or scoring, including profiling and predicting, especially from “aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements”.
  2. Automated-decision making with a legal or similar significant effect.
  3. Systematic monitoring.
  4. Sensitive data.
  5. Data processed on a large scale (looking at the number of data subjects concerned, the volume of data, the duration, or permanence, of the data processing activity, and the geographical extent of the processing activity).
  6. Datasets that have been matched or combined.
  7. Data concerning vulnerable data subjects.
  8. Innovative use or applying technological or organisational solutions.
  9. Data transfers across borders outside the European Union.
  10. When the processing in itself “prevents data subjects from exercising a right or using a service or a contract”.

The Guidelines highlight that there might be unacceptable high residual risks justifying a DPIA. DPIAs are scalable and can take different forms.

The Guidelines explain how to carry out a DPIA (when, and who shall carry it out). They provide a useful figure illustrating all the relevant requirements set out in the GDPR to provide a broad, generic framework for designing and carrying out a DPIA.

There are two annexes to the Guidelines.

The first one provides some examples of existing EU DPIA frameworks.

The second one lists the criteria for an acceptable DPIA. For a DPIA to be sufficiently comprehensive to comply with the GDPR, it shall:

  • provide a systematic description of the processing (Article 35(7)(a));
  • assess necessity and proportionality (Article 35(7)(b));
  • manage risks to the rights and freedoms of data subjects are (Article 35(7)(c));
  • involve the interested parties (Article 35(2), and (9).