The steady trickle of GDPR guidance from the Article 29 Working Party continues. Fresh from finalising its guidance on data portability, lead supervisory authorities and data protection officers, the Working Party has published draft guidance on data protection impact assessments (DPIA), the full text of which is available on the Working Party website. Comments can be submitted to the Working Party by 23 May 2017, after which the guidance will be finalised.
When to Carry out a DPIA
DPIAs are a key part of the GDPR accountability principle, and have to be carried out if a processing activity is “likely to result in a high risk” to data subjects. The Working Party’s guidance clarifies this phrase, and provides a series of concrete criteria which might trigger a DPIA, including:
- “evaluation and scoring” of an individual (e.g. profiling), especially where it relates to an individual’s performance at work, health, behaviour, location or movements;
- automated decision-making which would be subject to Article 22 GDPR;
- use of sensitive data, i.e. processing special categories of personal data or data relating to criminal convictions;
- processing on a large scale;
- using datasets that have been matched or combined, for example, combining data you have collected with data purchased from third-party data brokers;
- data concerning vulnerable subjects, such as employees (as their relationship with their employer is not an equal one), children and the elderly; and
- processing which might prevent individuals from exercising a right, using a service or entering into a contract. This would include processing that might prevent a data subject from entering into a contract such as bank screening on the basis of credit referencing and processing of personal data in publicly accessible areas, for example through CCTV.
As a rule of thumb, the Working Party states that a processing operation meeting only one of the criteria may not need a full DPIA, but those meeting two or more criteria will require one. It stresses, though, that this principle is not absolute and each situation should be assessed individually.
Many companies will have existing processing operations which have never been subject to a DPIA. The Working Party recommends carrying out DPIAs for processing operations already in place which, if they were new, would require a DPIA. The Working Party goes on to state that, as a matter of good practice, all processing activities should, be re-assessed approximately every three years to determine whether changes mean that a further DPIA is required.
The Working Party also addresses uncertainty in Article 36, regarding when controllers are required to approach supervisory authorities for consultation about a proposed processing activity. The Working Party guidance clarifies that controllers are only required to consult supervisory authorities where they are unable to find sufficient measures to appropriately reduce the risks of the processing activity to data subjects. In other words, if the controller can put appropriate measures to reduce the risks to data subjects in place, it will not have to consult with supervisory authorities.
The GDPR also contains a requirement to consult with data subjects where appropriate. The Working Party sets out a presumption that data subjects should be consulted, and a data controller should be prepared to explain why consultation was not carried out.
There is a useful diagram in the guidance which sets out a seven-step generic process for DPIAs. There are also helpful Annexes to the guidance, including examples of existing national and Europe-wide DPIA frameworks and a checklist of items to be included in DPIAs. These are likely to be useful resources when preparing DPIA templates, as the regulators may well want to see clear evidence of each of these steps being followed and each element in the checklist covered.