The Article 29 Working Party has published draft guidance on conducting data protection impact assessments under the General Data Protection Regulation.
What’s the issue?
A data protection impact assessment (DPIA) is a tool mandated under the incoming General Data Protection Regulation (GDPR) under certain circumstances, to help data controllers analyse prospective or actual personal data processing operations. DPIAs are a vehicle to allow organisations to assess the necessity and proportionality of the processing and help them manage risks to the rights and freedoms of individuals created by the processing, comply with obligations under the GDPR and, crucially, demonstrate compliance.
DPIAs must be carried out in relation to processing operations which pose a high risk to the rights and freedoms of individuals. While the ultimate responsibility for conducting a DPIA rests with the controller, they do not necessarily have to carry out the DPIA themselves but can do it in conjunction with a processor, a DPO or a neutral third party.
The GDPR does not define what is meant by a DPIA but it does set out minimal requirements in Article 35(7) as including:
- a systematic description of the proposed processing, including the purposes and grounds of the processing;
- an assessment of the necessity and proportionality of the processing in the context of the purposes;
- an assessment of the risks to the rights and freedoms of individuals; and
- measures taken to address those risks.
It is essentially a more developed form of the regulator-recommended (but not mandatory) privacy impact assessment (or PIA).
What’s the development?
The Article 29 Working Party (WP) has produced draft guidance on DPIAs. While there may be further changes in the final version, there are unlikely to be major differences at this stage. The guidance sets out more detail about when a DPIA should be carried out, when there is no need to complete one and covers suggested ways to conduct them in accordance with the requirements under the GDPR.
The WP summarises the obligations on the data controller where high risk processing is planned as follows:
- choose a DPIA methodology and implement a systematic process which:
- is compliant with the criteria in Annex 2;
- is integrated into existing processes;
- involves the appropriate interested parties;
- consult the supervisory authority when they have failed to determine sufficient measures to mitigate high risks;
- periodically review the DPIA and the processing it assesses, at least when there is a change to the risk posed by the processing operation; and
- document the decisions taken.
What does this mean for you?
Both the ICO and the Article 29 Working Party are clear that there is no requirement to carry out a DPIA before the GDPR takes effect on 25 May 2018. The advice, however, is to begin carrying them out as soon as possible, in particular, in relation to processing operations which will continue beyond May 2018. There is only a requirement to carry out a DPIA on an operation begun before May 2018, where the existing operation changes significantly after the GDPR takes effect. The WP “strongly recommends” carrying out DPIAs for processing operations already underway before implementation date.
We recommend that organisations act early and begin conducting DPIAs as though the GDPR were already in force. DPIAs are supposed to be carried out prior to the processing operation starting which makes them integral to ‘privacy by design’. While they can be undertaken at any point and should be reviewed on a regular basis (the WP recommends at least every three years) it is harder to act retrospectively. Far better to get it right at the outset, even if there is no legal obligation to carry out a PIA under the current Data Protection Act, than to invest time and money into a processing operation which will not be GDPR-compliant.
When is processing ‘high risk’?
The GDPR gives a non-exhaustive list of circumstances where processing is likely to be high risk, including systematic evaluation and profiling on which decisions are taken which have legal effect or significantly affect individuals; processing on a large scale of sensitive data; and systematic monitoring of a publicly accessible area on a large scale.
In addition, the WP’s draft guidance on DPIAs provides a list of ten potentially high risk processing activities:
- evaluation or scoring, including profiling and predicting;
- automated decision making with legal or similar significant effect;
- systematic monitoring;
- use of sensitive data;
- data processed on a large scale;
- datasets which have been matched or combined;
- data concerning vulnerable data subjects;
- innovative use of applying technological or organisational solutions;
- data transfers to third countries;
- where the processing in itself prevents data subjects from exercising a right or using a service or contract.
The WP suggests as a rule of thumb, that where the processing meets more than two of the criteria, there is likely to be a high risk and a DPIA should be carried out. Where two or fewer criteria are met, a DPIA may not be necessary. However, the WP underlines that this is not definitive and stresses that reasons for not carrying out a DPIA must be documented.
The WP goes on to suggest that a DPIA is not required where the processing:
- is not likely to result in a high risk;
- has a legal basis in EU or Member State law [and] has stated an initial DPIA does not have to be carried out, where the law regulates the processing operation and where a DPIA has already been carried out as part of the establishment of that legal basis; or
- the processing is included on the optional list established by the supervisory authority for which no DPIA is required.
At what point should be a DPIA be carried out?
DPIAs should be carried out before the processing begins and should be started as early as practical, even if this means they need to be reviewed as part of an on-going process as a project develops. They should be reviewed and updated on a regular basis and at least every three years if not sooner.
Is there a prescribed method for carrying out a DPIA?
Different methodologies may be used to carry out a DPIA provided the minimum features set out under the GDPR are applied and the WP encourages the development of sector-specific DPIA frameworks.
Should the data controller consult other parties?
The WP says the data controller must seek the advice of the DPO where applicable, and the views of data subjects or their representatives where appropriate. Controllers will then need to consult their supervisory authority when residual risks are high and where required to do so under Member State law.
Should DPIAs be published?
While publishing a DPIA is not a requirement under the GDPR (except where prior consultation is sought from the regulator), the WP suggests they should be published in part or in full, particularly where members of the public are affected by the processing operation.