Following the publication of its guidance on a number of elements of the General Data Protection Regulation (“GDPR”) (the right to data portability, Data Protection Officers, and identifying the lead supervisory authority), the Article 29 Data Protection Working Party (“WP29”) has now published further draft guidelines on Data Protection Impact Assessments. The WP29 is inviting comments on these draft guidelines up to 23 May 2017.

Examples of “high risk” processing

The guidelines suggest some criteria that should be considered in assessing whether the processing of personal data is likely to be considered “high risk”. These include where the processing involves:

  • evaluation or scoring, including profiling and predicting, especially relating to an individual’s performance at work, economic situation, credit-worthiness, health etc.;
  • evaluation or scoring, including profiling and predicting, especially relating to an individual’s performance at work, economic situation, credit-worthiness, health etc.;
  • data processed on a large scale – “large scale” to be interpreted by reference to matters such as the number of data subjects, volume of data, and the duration/ permanence and geographic extent of the data processing;
  •  data concerning “vulnerable” data subjects – examples of such persons include employees, children, the mentally ill, asylum seekers, the elderly, patients - any case, according to the WP29, where there is an imbalance in the relationship between the data subject and the controller;
  •  the innovative use of technology (e.g. combining use of fingerprint and face recognition for improved physical access, control, etc.) or technology involving novel forms of data collection and usage (e.g. certain internet of things applications);
  • data transfers outside of the European Union.

The guidelines indicate that, as a rule of thumb, processing involving two of the criteria will be “high risk” and require a DPIA. Processing involving only one criterion may not require a DPIA; however, this will need to be assessed on a case by case basis. As one would expect, in cases where it is not clear if a DPIA is required, the WP29 recommends carrying one out. 

Timing of DPIAs

DPIAs will only be required for relevant processing operations initiated on or after 25 May 2018. While the WP29 “strongly recommends” that DPIAs be carried out in relation to existing operations, this is not required unless the processing changes significantly - e.g. where new technology is introduced.

The WP29 emphasises that, consistent with the data protection by design and default principles of the GDPR, a DPIA should be carried out in advance of the relevant processing. The WP29 further recommends that, as a matter of good practice, a DPIA should be continuously carried out on existing processing activities and should be re-assessed every three years (or sooner, depending on the nature of the processing, type of technology, etc.).

Process and methodology

The guidelines include a chart suggesting a process for carrying out a DPIA. However, they also emphasise that data controllers have flexibility under the GDPR to determine the precise nature and form of the DPIA. Helpfully, they clarify that the form of the DPIA can be incorporated within existing practices and risk assessment frameworks (e.g. ISO standards). In this regard, the guidelines also include examples of existing EU DPIA frameworks which can be used, including ones previously published by the French and UK DPAs. 

In addition, Annex 2 of the guidelines includes a helpful checklist which data controllers can use to assess whether a DPIA, or the methodology used to carry out a DPIA, is sufficiently comprehensive to comply with the requirements of the GDPR. Many organisations will be starting at this stage to establish the format /methodology for DPIAs in readiness for the (rapidly advancing) May 2018 GDPR deadline, and should find these guidelines helpful.