The Data Protection Commission (DPC) recently published a draft list of data processing operations for which it considers it mandatory to carry out a Data Protection Impact Assessment (DPIA). The requirement for a controller of personal data to undertake a DPIA is set out in Article 35 of the General Data Protection Regulation (GDPR). Article 35(4) requires each supervisory authority to make public a list of the type of processing activities which require a DPIA. The DPC’s draft list, which is quite broad in scope, was open for public consultation and stakeholders were able to make submissions until 4 July 2018, following which the finalised list will be sent to the European Data Protection Board (EDPB) for approval. It will be worth watching to see to what extent the finalised list of processing activities differs from this consultation.
What is a DPIA?
Article 35 GDPR requires a controller in certain circumstances, and prior to processing, to carry out an assessment of the impact of envisaged processing operations on the protection of personal data. A DPIA must be carried out in circumstances where the type of data processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of individuals. Each DPIA must at least contain:
- a systematic description of the envisaged processing operations, the purposes of the processing and where applicable, the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operation in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects; and
- the measures intended to address the risks including safeguards, security measures and mechanisms to ensure the protection of personal data and demonstrate compliance with the GDPR
When is a DPIA required?
The GDPR outlines several situations in which a DPIA is mandatory including:
- where the processing is likely to result in a high risk to the rights and freedoms of individuals, in particular where using new technologies and taking into account the nature, scope, context and purposes of the processing;
- where a controller undertakes a systematic and extensive evaluation of personal aspects relating to individuals which is based on automated processing including profiling, and on which decisions are based that produce legal effects, for or significantly affect the individual;
- where processing on a large scale occurs in relation to special categories of personal data (e.g. health data) or personal data related to criminal convictions and offences;
- where there is systematic monitoring of a publicly accessible area on a large scale; and
- where required in accordance with the list of processing activities requiring a DPIA, published by the relevant data protection supervisory authority under Article 35(4) of the GDPR.
As regards the last point, the DPC has published a draft list of situations where the DPC requires a DPIA to be conducted. These are where an organisation is intending to:
1. use personal data on a large-scale for a purpose(s) other than that for which it was initially collected pursuant to Article 6(4) of the GDPR;
2. profile vulnerable persons including children to target marketing or online services at such persons;
3. use profiling or special category data to determine access to services;
4. monitor, track, or observe individuals’ location or behaviour;
5. profile individuals on a large-scale;
6. process biometric data to identify an individual;
7. process genetic data;
8. indirectly source personal data where GDPR transparency requirements are not being met;
9. combine, link or cross-reference separate datasets where such linking contributes to profiling or behavioural analysis of individuals;
10. process personal data based on legislative measure under the Data Protection Act 2018 where suitable and specific measures are required to safeguard the fundamental rights and freedoms of individuals; or
11. further process personal data for archiving purposes in the public interest, scientific or historical research or statistical purposes.
The list is drafted quite broadly and unlike the UK ICO’s equivalent list, (which covers fairly similar situations) does not provide additional commentary on the practical application of the situations listed.
The DPC goes on to recommend that it is good practice to carry out a DPIA for any major new project involving the use of personal data, even if there is no specific indication of high risk. Furthermore, the publication contains some useful interpretation of the relevant requirements under the GDPR and includes an analysis of the DPC’s view of some key terms used in Article 35 GDPR such as ‘high risk’, ‘significantly affect’, ‘new technology’ and ‘large scale’.
Under Article 35(5) a national supervisory authority may also make public a list of the types of processing activities for which no DPIA is required. This is not a step that supervisory authorities are required to take and it remains to be seen whether the DPC will choose to publish such a list.