Article 29 Working Party adopts guidelines on Data Protection Impact Assessments
When should a data controller conduct a Data Protection Impact Assessment (DPIA)?
DPIAs are a tool for data controllers to build and demonstrate compliance with the GDPR. The process is designed to encourage organisations to describe and audit their processing activity, consider its proportionality, and balance its necessity against the risks to the rights and freedoms of their data subjects.
While the Information Commissioner's Office (ICO) has long been advocating DPIAs as best practice, it is only now, under the GDPR, that DPIAs have become compulsory in certain circumstances.
Article 35 of the GDPR indicates that DPIAs will only be required when a data controller envisages that its processing is "likely to result in a high risk to the rights and freedoms of natural persons". To ensure a consistent interpretation of the circumstances in which a DPIA is mandatory, the WP29 has released guidelines which clarify and expand upon the examples of 'high-risk' processing outlined in the GDPR.
In brief, an organisation's processing is likely to result in a high risk to data subjects if it involves:
- evaluation or scoring (including profiling and predicting);
- automated decision making with legal or similar significant effect;
- systematic monitoring;
- sensitive data or data of a highly personal nature;
- data processed on a large scale;
- matching or combining data sets;
- data concerning vulnerable data subjects;
- innovative use or new technological or organisational solutions; or
- barriers preventing data subjects from exercising a right or using a service or contract.
As a rule of thumb, the WP29 considers that a processing activity meeting two (or more) of the above criteria will require a DPIA. If it is not clear whether a DPIA is necessary, the WP29 recommends that one is carried out nonetheless. As ever, organisations should adopt the 'data protection by design' approach – ie starting early (and in any case always prior to the commencement of processing), and treating DPIAs as a continual and evolving process rather than a one-time exercise.
While the GDPR is flexible as to the methodology used to undertake DPIAs, it does dictate some minimum required features:
- a description of the envisaged processing operations and the purposes of the processing;
- an assessment of the necessity and proportionality of the data processing;
- an assessment of the risks to the rights of the individuals affected; and
- measures envisaged to address the risks and demonstrate compliance with the GDPR.
If, after the DPIA has been completed, the data controller considers that it will not be able to sufficiently address the risks identified, it must consult its supervisory authority.
Why is this important?
Non-compliance with DPIA requirements under the GDPR (ie failure to carry out a DPIA when mandatory, carrying out a DPIA incorrectly, or failing to consult the relevant supervisory authority) can result in fines of up to €10m or 2% of total worldwide annual turnover, whichever is higher. And remember that a DPIA-level fine would be additional to the higher level fines (€20m or 4% of global turnover) which could follow the identification of other breaches under the GDPR (ie for the underlying cause of a breach itself).
Any practical tips?
Data controllers should take note of the nine criteria outlined by the WP29, and consider them each time a new processing activity is undertaken. In case of any doubt, it is better to be safe than sorry and conduct a DPIA – no one will blame you for properly stress-testing a new data activity with the threat of GDPR-level fines looming overhead.