The Article 29 Working Party has adopted Guidelines on Data Protection Impact Assessments (DPIAs), following its consultation on a draft version published in April 2017. The final version provides additional guidance in a number of areas without materially changing the position.
Further guidance is provided on the trigger for mandatory DPIAs – whether the processing is likely to result in a “high risk to the rights and freedoms of natural persons.” Additional emphasis is placed on the obligations of controllers in cases where a DPIA is not required, pointing out that they must implement measures to appropriately manage risks regardless and, further, that they must continuously assess the risks to identify when they may trigger the DPIA obligation. The final Guidelines also discuss the sharing of information relating to DPIAs amongst joint controllers or where similar processing operations are carried out by various data controllers.
In the section outlining the criteria that should be considered in determining whether a DPIA is required, one of the ten factors has been removed (international transfers to countries outside the EU). This is a positive development since the Guidelines state that a DPIA will likely be required where two of the criteria are met. As so many data processing activities involve international transfers, this would have captured a large amount of processing activities. Also noteworthy is a new illustration of the first criterion (Evaluation or scoring) that has been added: a financial institution that screens its customers against anti-money laundering and counter-terrorist financing or fraud. The “sensitive data” criterion has been expanded to expressly include as well “data of a highly personal nature.” The illustrative table has been expanded to include additional examples of processing activities that are likely to require a DPIA.
Crucially, the Guidelines no longer grandfather-in high-risk processing operations initiated before the GDPR becomes applicable on 25 May 2018. The revised text requires a DPIA to be carried out for existing operations if they carry a high risk and “there has been a change of the risks, taking into account the nature, scope, context and purposes of the processing” – such as the use of a new technology. It is unclear how this far narrower grandfather provision will be implemented in practice and whether it will only apply in cases where a supervisory authority previously checked the processing activity prior to the GDPR coming into force. Because DPIAs may take considerable time to complete in line with the GDPR requirements and the WP29 guidance on how to conduct them, this amendment should be examined by companies whose processing activities might currently fall into the “high risk” category but were not planning to conduct a DPIA based on the “existing processing” exception.