Final guidance on DPIAs, draft guidance on profiling and breach notification, and guidelines for regulators on administrative fines have been published by the Article 29 Working Party.
What’s the issue?
Our regular readers will be universally aware that the General Data Protection Regulation (GDPR) will apply from 25 May 2018. Representing a major overhaul of EU data protection law, the GDPR introduces new rights for individuals and obligations on those processing personal data, together with significant fines for non-compliance. Regulators are producing guidance to help organisations towards compliance.
What’s the development?
The Article 29 Working Party (WP29) has published final guidance on Data Protection Impact Assessments (DPIAs), draft guidance on profiling and breach notification, and guidance for regulators on administrative fines.
What does this mean for you?
WP29 guidance carries huge weight (even if it is not binding) because the WP29 is made up of the EU regulators. As such, it should be read carefully and serves to address at least some of the gaps in the GDPR.
The finalised guidelines on conducting DPIAs under the GDPR are substantially the same as the draft published in April 2017, with some minor amendments.
The WP29 gives a non-exhaustive list of circumstances which are likely to result in high risks to individuals and to trigger the need for a DPIA where at least two apply. Data transfers to third countries has been removed from this list which now covers:
- evaluation or scoring;
- automated decision making with legal or similar significant effect;
- systematic monitoring;
- sensitive data or data of a highly personal nature (N.B. the words “highly personal nature” are new);
- data processed on a large scale;
- matching or combining datasets;
- data concerning vulnerable data subjects; and
- innovative use or applying new technological or organisational solutions.
The guidelines continue to emphasise that DPIAs are a tool in the armoury of data protection and that they should be continuously reviewed and regularly reassessed. Emphasis is placed on maintaining a risk-based approach. See here for more (subject to the changes noted above).
Automated decision making and profiling
The WP29’s draft guidelines on automated decision making and profiling under the GDPR are open for consultation until 28 November 2017.
The WP29 makes a distinction between automated decision making and profiling. The former is the taking of decisions by solely automated means. The WP29 says this means no significant human involvement – in other words, having only token human involvement will not prevent a decision being regarded as automated. Profiling (which can also take place by solely automated means) is the collection of data about an individual and using it to categorise them or make assumptions or predictions about their behaviour based on the data.
The right not to be subject to decisions taken as a result of automated processing applies where it produces legal effects or “similarly significant effects”. Neither of these terms is defined in the GDPR and the WP29 suggest that “legal effects” should mean any activity which impacts an individual’s legal rights, affects a person’s legal status or their rights under a contract. The WP29 recognises that what constitutes a “similarly significant effect” is less clearcut and will depend on the circumstances but that the effects “should be more than trivial and must be sufficiently great or important to be worthy of attention”. In other words, the decision must have the potential to significantly influence the circumstances, behaviour or choices of the individuals concerned”.
Another area of helpful clarification relates to whether targeted advertising is likely to be a significant automated decision. In the WP29’s view, targeted advertising would not usually have a significant effect on individuals, however, under certain circumstances it may do. The WP29 suggests factors to be considered would be:
- the intrusiveness of the profiling process;
- the expectations and wishes of the individual;
- the way the advert is delivered; and
- any particular vulnerabilities of the targeted individual.
Examples of situations where targeted advertising could fall foul of the rules on automated decision making given by the WP29 include where an individual in financial difficulty is regularly targeted with adverts for online gambling, or where adverts using differential pricing prevent an individual from getting goods or services at a lower price.
The WP29 places considerable emphasis on clear and transparent communication with data subjects and underlines the need to check datasets for bias and prevent errors or discrimination based on the processing of special data. As ever, DPIAs are seen as an essential compliance tool.
The WP29’s draft guidelines on personal breach notification under the GDPR are open for consultation until 28 November 2017.
The WP29 gives some welcome clarification on a number of issues as well as plenty of examples. Points to note include:
- the 72 hour time limit for reporting a breach to the relevant DPA begins to run once the controller becomes aware of the breach. The WP29 says this is when the controller has a reasonable degree of certainty that a security incident leading to a personal data breach has taken place;
- as soon as a data processor becomes aware of a breach, the data controller is deemed to have knowledge of the breach so controllers should ensure processors are obliged to inform them of any breach immediately;
- information given to the regulator about a breach should contain information about categories of information and individuals involved even if precise figures are not available;
- in the case of cross-border breaches, the data controller will need to inform its lead supervisory authority (LSA) where it has one. The LSA should be identified in the breach response plan. If there is no LSA, then the controller should inform the SA where the breach has taken place. Even if there is an LSA, the controller may wish to inform SAs in affected Member States but if it chooses not to, the WP29 says it should inform the LSA of the location of individuals who may be affected by the breach;
- examples of breaches which do not have to be reported are given, including where encrypted data which remains secure is taken;
- guidelines are given on when to inform data subjects of a breach and what information to give them;
- the WP29 underlines the need to document all breaches, whether or not they are reportable, and advises documenting any decisions taken in relation to them, as well as remedial work;
- loss of access to data, even due to a temporary loss of power, is a personal data breach which should be documented (although not necessarily reported);
- the WP29 reminds controllers that reporting an incident which turns out not to be a reportable breach is preferable to failing to report something which is reportable.
The guidelines on the application and setting of fines under the GDPR are aimed at the regulators to help them assess what level of fine is appropriate in particular circumstances. Issues to consider include:
- the number of data subjects involved;
- the purpose of the processing;
- the level of damage suffered; and
- the duration of the infringement.
Regulators should cooperate to ensure a harmonised approach across the EU. The WP29 plans to publish further guidance on making detailed calculations.