New guidance has been published for consultation by the Article 29 Data Protection Working Party (WP29) on Data Protection Impact Assessments (DPIAs) pursuant to Article 35 of the General Data Protection Regulation (GDPR). Below is a summary of the key points. The full guidance can be accessed from the WP29 website here.

DPIAs (which are, in some case, mandatory) aim to ensure that the organisation considers and documents the processes they are using and assesses the need and proportionality of such processing. It is important for data controllers to understand the circumstances in which a DPIA should be carried out, and the DPIA process offers an opportunity to demonstrate compliance with the requirements of the GDPR. DPIAs therefore act as an important tool for accountability, and data controllers should take note of when they are necessary; significant fines (up to €10m or 2% of total worldwide annual turnover, whichever is higher) can be imposed for failures.

When must a DPIA be carried out?

Carrying out a DPIA is not mandatory for every processing operation, and it may not be necessary for every processing operation which may result in risks to the rights and freedoms of individuals. Instead it is only if the processing is "likely to result in a high risk" to these rights and freedoms. It is therefore particularly relevant where new data processing technology is being introduced. In cases where it is unclear as to whether a DPIA is required, the WP29 recommends that one should be carried out nonetheless given that a DPIA is a useful tool to help data controllers comply with data protection law.

The guidance sets out the following criteria which should be considered by data controllers when assessing risk level of processing; generally, the more criteria that are met, the more likely it is to "result in a high risk" - "[as] a rule of thumb, a processing operation meeting less than two criteria may not require a DPIA."

  1. Evaluation or scoring, for example, building marketing profiles utilising data collated from the use of a website

  2. Automated-decision making with legal or similar significant effect, for example, where the processing may result in discrimination against individuals

  3. Systematic monitoring, perhaps in circumstances where persons do not know by whom and for what purpose their data is being collected

  4. Sensitive data

  5. Data processed on a large scale

  6. Datasets that have been matched or combined

  7. Data concerning vulnerable data subjects

  8. Innovative use or applying technological or organisational solutions, such as, for example, facial/fingerprint recognition

  9. Data transfer across borders outside the EU

  10. When processing in itself "prevents data subjects from exercising a right or using a service or contract", for example, where a bank uses a credit reference database to screen loan applicants

Organisations are required to document why they deemed a DPIA necessary or unnecessary in the circumstances. In addition, whilst DPIAs are only required post the in-force date of May 2018, organisations are strongly recommended to carry out DPIAs for processing that is already underway and, going forward, to review these regularly, at least every 3 years.

How to carry out a DPIA

The DPIA should be carried out prior to the processing and updated throughout the processing to ensure compliance.

The data controller has ultimate responsibility for ensuring that the DPIA is carried out; though need not carry it out personally. The data controller must seek advice from the Data Protection Officer (DPO) (who must also monitor the DPIA) and document any decisions taken within the DPIA. Additionally, the data controller must "seek the views of data subjects or their representatives where appropriate".

The GDPR sets out the basic content that should be included in a DPIA as follows below, though there is no specific structure of form it should take. Annex 1 to the guidance provides some useful methodologies that organisations can utilise and Annex 2 sets out criteria for an acceptable DPIA:

  • "A description of the envisaged processing operations and the purposes of the processing;

  • An assessment of the necessity and proportionality of the processing;

  • An assessment of the risks to the rights and freedoms of data subjects;

  • The measures envisaged to:

    • address the risks;

    • demonstrate compliance with this Regulation."

The guidance notes that although it is not a legal requirement of the GDPR, it should be good practice to publish the DPIA in full or in part, helping to foster trust in the controller's processing operations.

Organisations should consider when the supervisory authority should be consulted about the processing, especially where residual risks are high. This may be where individuals "data subjects may encounter significant, or even irreversible, consequences, which they may not overcome, and/or when it seems obvious that the risk will occur". Regardless of whether or not consultation with the supervisory is required based on the level of residual risk, the obligations of retaining a record of the DPIA and updating the DPIA in due course remain.

The consultation is open for comments until 23 May 2017. Comments should be sent to [email protected] and [email protected]