In preparation of the implementation date of the GDPR coming 25 May, the Privacy Commission has published a recommendation on DPIAs.

The DPIA is a novelty of the GDPR (even though risk assessments are commonplace in today’s business processes) but the text of the GDPR arguably left much to be desired. Similarly, the Opinions of the Article 29 Working party (WP29) also did not fully eliminate uncertainty on this issue.

A primary issue is the question of when a DPIA is triggered. The GDPR states that a DPIA is required when (modifications to) a personal data processing operation under consideration presents a potential high risk for the rights and freedoms of the data subject. But what constitutes a high risk? The Privacy Commission has tried to answer that question by defining 9 criteria that could imply a risk:

  1. Evaluation of scoring
  2. Automated decision making with legal consequences
  3. Structured monitoring
  4. Processing of sensitive data or data of a highly personal nature
  5. Large-scale processing
  6. Matching or combining of datasets
  7. Data on vulnerable persons
  8. Innovative use or application of new technologies or organizational applications
  9. Data subjects would be denied execution of their rights or would not be able to benefit from a service or contract

Any combination of two or more of these criteria requires a DPIA to be carried out. For some processing operations, one of the criteria can trigger a DPIA as well.

The Privacy Commission also describes the required elements of a DPIA but it refrains from defining a methodology. For the latter it refers to existing risk analysis methodologies. It also addresses the notification requirement of a DPIA under the GDPR, which it considers is also required if the outcome of a DPIA suggest a high risk to the rights and freedoms of the data subject, despite the risk mitigating measures put in place.  In other words, the residual risk triggers the notification.

The Recommendation also addresses finer details such as the different parties and their respective roles in a DPIA, criteria for exemption from the DPIA requirement, and their maintenance. On this last element, the Privacy Commission considers that DPIAs must be reviewed at least every three years and that changes to processing operations existing on 25 May 2018 require a complete DPIA of the processing operation and not just in relation to the modifications.

The recommendation concludes with annexes concerning data processing activities which always require a DPIA as well as processing activities that are exempt from this requirement. These annexes are subject to the adoption by the Data Protection Authority.

While the Recommendation does not put an end to all discussions, it does provide welcome clarification on the DPIA process. It will be interesting to see if the Data Protection Authority will adopt the annexes and / or will add any modifications.