Although considered burdensome by some, data protection impact assessments (DPIAs) help controllers assess any data protection implications of their processing operations, with the added benefit of demonstrating compliance with the EU General Data Protection Regulation (GDPR). The Article 29 Working Party (WP29) recently published guidelines on DPIAs and on determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (Guidelines) to assist controllers in implementing DPIAs. The Guidelines explain not only what should be included in DPIAs but also, importantly, how they can be used effectively. Rather than defining DPIAs, the GDPR states they are required in “high risk” situations and thus the Guidelines explain ‘high risk’ and specify, to the extent possible, the circumstances in which DPIAs are mandatory. Although the Guidelines do not provide a complete picture of how DPIAs will work in practice, several key questions have been addressed.
What does a DPIA entail?
While the form and structure of DPIAs are flexible so as to suit a variety of controller practices, they must, at a minimum, include:
- a description of the envisaged processing and the purposes of the processing;
- an assessment of the necessity and proportionality of the processing in relation to the purpose;
- an assessment of risks posed to data subjects’ rights and freedoms; and
- measures envisaged to address these risks and to demonstrate GDPR compliance.
The WP29 envisages sector-specific DPIA frameworks being developed and implemented at a later date.
When is a DPIA needed?
A DPIA is mandatory if the processing operation is “likely to result in a high risk to the rights and freedoms of natural persons”. A DPIA must be carried out prior to the processing in order to assess risk.
As well as providing a list of situations where DPIAs will be relevant, the Guidelines provide a non-exhaustive list of processing criteria to consider, and confirm that the occurrence of usually two criteria (but sometimes only one) could give rise to the requirement for a DPIA. The list includes:
- evaluation or scoring (including profiling and predicting);
- systematic monitoring of data subjects;
- large-scale processing; and/or
- matching or combining types of data.
The Guidelines recommend that where it is unclear whether a DPIA is required, controllers should act with caution and carry out a DPIA regardless. They also include a list of circumstances where a DPIA is not required, as well as a detailed checklist of “criteria for an acceptable DPIA”.
What happens next?
Next steps are dependent on the outcome of a DPIA. Where a DPIA identifies risks that cannot be sufficiently mitigated by the controller, the controller must consult the supervisory authority. It is recommended that DPIAs are published once completed (although this is not compulsory). Looking further ahead, while the WP29 envisages that DPIAs are carried out continuously, revisiting them every three years is recommended even if a processing operation has not changed substantially.
Why should controllers act now?
As this requirement will apply to many processing operations after 25 May 2018, the WP29 advises that DPIAs are carried out prior to this date. An organisation’s failure to comply with any aspect of the DPIA requirement could result in administrative fines of up to €10 million or up to 2 per cent of its total worldwide annual turnover for the preceding financial year, whichever is the higher.