One key feature of the General Data Protection Regulation (GDPR) is its requirement that compliance is formally documented, a marked difference from the Directive 95/46/EC (Directive) which sets out far less prescriptive obligations. One example is the obligation to carry out a data protection impact assessment (DPIA) "where processing operations are likely to result in the high risk to the rights and freedoms" of data subjects.
The recitals of the GDPR highlight the reasoning behind its evidentiary nature. These acknowledge that whilst the Directive mandated a general notification to the applicable Supervisory Authority (SA) and generated financial and administrative burdens, the end result was not always the improved protection of personal data. The GDPR seeks to ensure enhanced protection of data subject rights and freedoms by obliging data controllers to document how they intend for such rights and freedoms to be protected.
The concept of DPIA may already be familiar; the ICO published its code of practice for conducting privacy impact assessments and across Europe, similar assessments have been prevalent for some time. The DPIA requirement under the GDPR bolsters such practices and analysis specific to the GDPR requirements must be carried out.
What is a DPIA?
The data controller is responsible for carrying out a DPIA to analyse the "origin, nature and severity" of the risk to data subject rights and freedoms. This will necessarily involve examination of the scope, context and purposes of the intended processing. In broad terms, the aim of the DPIA is to establish whether there is likely to be such a risk, and if so, to help determine which measures should be put in place to demonstrate that the processing activities are in compliance with the GDPR and protect the data.
It is, therefore, crucial that the DPIA is carried out before the relevant processing starts, in order to consider the measures, safeguards and mechanisms which could be used to mitigate any risk posed to data subject rights and freedoms. Further, if the desired processing risks cannot be mitigated by taking appropriate measures with regard to available technology and cost of implementation, the applicable SA should be consulted. As such, the sooner any risks are ruled out or, alternatively, identified, the better prepared a business will be to put in place appropriate remedies or other required courses of action. At the heart of the GDPR is the formalisation of 'privacy by design', which the DPIA obligations uphold.
Minimum required elements of a DPIA:
- a systematic description of the planned processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects;
- the measures intended to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR with regard to the rights of data subjects and other persons concerned.
When should DPIAs be carried out?
A DPIA is required "where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons".
There is no definition of what "high risk" means, but it is likely to result when the extent and frequency of processing adversely affect or otherwise interfere with the rights and freedoms of the data subject.
It may be worth considering a two stage process for DPIA compliance to help discover the 'unknown unknowns'. A high-level DPIA could pose initial questions about all intended processing operations concerning personal data. If, after the initial assessment any potential risk areas are identified, a second DPIA which is fully compliant with the GDPR can assess such processing operations in more depth. This two stage approach allows for a 'deeper dive' where necessary and will also serve to demonstrate compliance with the GDPR.
The GDPR identifies particular instances in which a DPIA is required, based on factors such as:
- large-scale processing operations;
- significant volumes of personal data;
- particularly if of a sensitive nature or where new technology has been developed and deployed on a large scale;
- and where processing operations make it harder for data subjects to exercise their rights.
DPIAs will be required in the case of:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data (being personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation) or of personal data relating to criminal convictions and offences or relate security measures;
(Article 35 (3))
An SA can create a publically available list of types of processing operations which require a DPIA, and can list processing operations which will not require a DPIA. These lists will also be shared with the European Data Protection Board (EDPB) which will subsequently issue an opinion following the adoption of such lists. If SAs have not established such lists, the competent SA will apply the consistency mechanism (see Article 63 GDPR). The degree to which SAs produce complimentary lists, as well as the EDPB's opinion of such lists, will be significant in helping businesses determine how and when DPIAs are required. Such lists could increase the ability of businesses to quickly identify processing risks, helping to ensure efficient compliance.
The GDPR acknowledges that it may be reasonable and economical for the scope of a DPIA to extend beyond one project so that a DPIA is carried out across an industry sector, or where public bodies intend to establish common processing operations.
Scope of DPIAs
When carrying out DPIAs, if applicable, data controllers should refer to the approved codes of conduct (which take into account various processing sectors and the specific needs of small to medium businesses, see Article 40) under the GDPR.
The GDPR states that it may also be considered appropriate, depending on the intended processing operations, to seek the view of data subjects or their representatives. On first reading this could be a particularly onerous task, and further guidance from SAs will prove helpful in determining when, and how, companies must comply.
Another central theme of the GDPR is that compliance reviews are ongoing, as exemplified by the requirement that DPIAs must be kept under review. At the very least, it is expected that if intended processing operations represent a change in risk to the data subject's rights and freedoms, the DPIA should be reviewed. Where there is a designated data protection officer (DPO), a data controller must seek advice of the DPO on a DPIA and the DPO must monitor the performance of the DPIA against Article 35.
Notifying the SA
If the data controller believes that reasonably available technologies and their implementation costs do not mitigate the risk caused by the processing operations, the applicable SA must be consulted, before such processing begins.
Upon receiving a request for notification, the SA will request certain information from the data controller and shall respond within eight weeks with written advice to the data controller (and processor if applicable) and may use any of its investigatory or corrective powers (Article 58). Such period may be extended by six weeks depending on the complexity of the planned processing. All such time periods may be suspended if the information which it has requested has not been received.
The extent to which companies and SAs agree on the "reasonably available technologies and cost" could prove significant given that SAs are able to use their powers under Article 58.
When consulting the SA, a data controller will need to provide:
- where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
- the purposes and means of the intended processing;
- the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to the GDPR;
- where applicable, the contact details of the data protection officer;
- the data protection impact assessment; and
- any other information requestedby the SA.
Processors must assist data controllers, ensuring compliance with any obligations arising from a DPIA and from consultation with the SA.
As with many aspects of GDPR compliance, more detailed guidance from SAs will be crucial in understanding the scope of DPIAs in practice. Those businesses that begin to build DPIA assessments into all proposed processing operations from day one will be ahead of the curve in demonstrating compliance. As the ICO has commented "An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur".