The Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP recently submitted formal comments (“Comments”) to the Article 29 Working Party’s (“Working Party’s”) Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (“DPIA Guidelines”) that were adopted on April 4, 2017. CIPL’s Comments follow its December 2016 white paper on Risk, High Risk, Risk Assessments and Data Protection Impact Assessments under the GDPR, which CIPL had submitted to the Working Party as formal initial input to its development of DPIAs and “high-risk” guidance.
CIPL’s Comments highlight the importance of preserving the DPIA’s special role as an accountability tool for high-risk processing under the EU General Data Protection Regulation (“GDPR”). CIPL acknowledges and appreciates the Working Party’s recognition that DPIAs and the notion of high risk are context specific and that organizations must have flexibility to devise risk assessment frameworks appropriate to them. To that effect, CIPL welcomes the Working Party’s inclusion of criteria for identifying high risk, as opposed to relying on a fixed list of high-risk processing activities.
CIPL’s Comments emphasize, however, that clarity is needed regarding several criteria put forward by the Working Party for determining whether a type of processing is high risk. This is especially true because such processing renders the DPIA requirement mandatory. CIPL’s Comments also recommend some additional elements for the Working Party to consider in the assessment of risk, including benefits of the processing and consent.
CIPL’s Comments also underline several key issues that it believes were insufficiently addressed by the DPIA Guidelines or which may require reconsideration, including:
- The role of DPIAs in the context of joint data controllers and data processors, and the treatment of such entities’ intellectual property and confidential information;
- data controllers’ reliance on existing DPIAs for newly implemented features or software across different products, and DPIAs for new technologies generally;
- problems associated with several proposed “high-risk” criteria;
- the importance of considering the benefits of processing in the context of DPIAs and risk assessments;
- GDPR requirements where data controllers choose not to conduct a DPIA and instances where DPIAs are not required;
- frequency of DPIAs and retiring existing DPIAs;
- potential burdens imposed by seeking the views of data subjects and their representatives when carrying out a DPIA;
- the roles of GDPR certifications, seals and marks, as well as BCRs and codes of conduct, when assessing the impact of a data processing operation.
- the scope of rights to be included in a DPIA; and
- burdens and risks associated with publishing DPIAs and the consequences of not publishing.
CIPL’s Comments were developed based on input by the private sector participants in CIPL’s ongoing GDPR Implementation Project, which includes more than 80 individual private sector organizations. As part of this initiative, CIPL will continue to provide formal input about other GDPR topics the Working Party prioritizes.