On 4 April 2017, the Article 29 Working Party (“WP29”) adopted the Guidelines on Data Protection Impact Assessment ("DPIA") and determining whether processing is “likely to result in high risk” for the purposes of Regulation 2016/679 ("the Guidelines”).
DPIAs – When are they mandatory?
Under Article 35(1) DPIAs will be mandatory where data processing is 'likely to result in a high risk to the rights and freedoms of natural persons'. Article 35(3) sets out examples of circumstances that will be considered likely to result in a high risk.
WP29 strongly recommends that DPIAs are undertaken for operations are underway. If a change is made to an ongoing operation after 25 May 2018 that could cause a change in the likelihood of a risk, data controllers should assess whether the existing DPIA is still applicable and should subsequently make any necessary adjustments to ensure any new risks are identified and addressed.
DPIAs are also recommended to be undertaken when it is not clear whether there is a likelihood of high risk, as they are useful tools for monitoring compliance with the GDPR.
The Guidelines set out the following criteria that data controllers should consider when determining the risks posed by a processing operation: where a processing operation will encompass two or more of the criteria, it is likely to result in a high risk and therefore a DPIA should be completed. If fewer than two of the criteria below are met then the processing operation is not as likely to result in a high risk and a DPIA may not be required. Care should be taken when using this rule as it is not a strict science; there may be instances where the operation encompasses more than two of the criteria and the data controller does not consider a DPIA to be necessary (in which case the reasons should be very clearly documented) and vice versa.
The criteria to keep in mind are:
- Evaluation or scoring, including profiling and predicting, especially from “aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements”;
- Automated-decision making with a legal or similar significant effect; for example underwriting using automated decision making and resulting in an instant decline to quote;
- Systematic monitoring, including of a publicly accessible area;
- Sensitive data, including data which may generally be considered as increasing the risk to the rights and freedoms of individuals for example location and financial data;
- Data processed on a large scale (looking at the number of data subjects concerned, the volume of data, the duration, or permanence, of the data processing activity, and the geographical extent of the processing activity);
- Datasets that have been matched or combined, for example originated from 2 or more data processing operations performed for different purposes, for example fingerprint or face recognition for access;
- Data concerning vulnerable data subjects, for example employees would find it difficult to oppose processing that its employer carries out;
- Innovative use or applying technological or organisational solutions;
- Data transfers across borders outside the European Union;
- When the processing in itself “prevents data subjects from exercising a right or using a service or a contract” for example processing in a public area that cannot be avoided;
There are some instances where a DPIA will not be required, including circumstances where the processing operation: is not likely to result in a high risk; has already been authorised; or has a legal basis.
Conducting a DPIA
DPIAs should be conducted before the processing operation begins (unless it is conducted retrospectively for an operation existing prior to May 2018) and started “as early as practicable”. The DPIA should be a living process that is updated as the operation itself changes, and some stages may need to be repeated multiple times or adjusted as the operation continues.
Whilst data controllers are responsible for ensuring the DPIA is carried out, they aren't specifically obligated to complete it. It can be delegated input from the data processors and the DPOs.
The Guidelines contain a useful diagram to assist data controllers in designing the DPIA process.
DPIAs should manage risk to the data subjects, rather than assessing the risks to the businesses involved.
Although not prescribed by law, the publication of DPIAs should be considered as a clear demonstration of willingness to operate transparently and in good faith, even where the publication only includes a brief outline or summary.
When should the supervisory authority be consulted?
Where risks identified cannot be (or have not been) addressed sufficiently by the data controller, i.e. where there are high residual risks to the data subjects, for example where they encounter significant of irreversible consequences which cannot be overcome.
Key points to note:
The Guidelines provide helpful annexes to assist data controllers in devising their DPIAs including examples of existing EU DPIA frameworks.
DPIAs should be viewed as a useful tool for data controllers to monitor GDPR compliance.
Where a DPIA requirement is not met, the data controller is liable for a fine imposed by the supervisory authority, which may be up to €10 million.
Separate DPIAs do not necessarily need to be conducted for each individual processing operation. Where multiple operations have similar risks and their nature, scope, context and purposes are very similar and it is economical to combine the process, a combined DPIA could be conducted.
The introduction of new technology into a process should be a flag to the data controller to conduct a review and determine whether the DPIA is sufficient to capture all of the risks faced.
Annex 1 of the ICO guide on big data sets out a helpful checklist (which can be adapted for personal data generally) for conducting a DPIA and how to bridge the gap between requirements under the DPA and GDPR.
Organisations should consider assembling a DPIA toolkit which can be used when conducting any DPIAs and should consider undertaking DPIAs for processing operations which meet the criteria.
The Guidelines can be accessed here.
The ICO Blog on big data can be accessed here.