A data protection impact assessment (DPIA) is a useful tool when implementing data processing systems that comply with the General Data Protection Regulation (GDPR). DPIAs are also mandatory for some types of processing. Failure to conduct a DPIA, to conduct one correctly, or to consult the supervisory authority where required could all lead to penalties of up €10 million or 2% of worldwide turnover – whichever is greater. The EU Article 29 Working Party (WP29) recently published draft guidelines to clarify when DPIAs are necessary and how they should be applied. The key points from the guidelines are summarised below.
Which processing operations are subject to a DPIA?
A DPIA is mandatory when processing is “likely to result in a high risk to the rights and freedoms of natural persons”. The guidelines offer the following criteria to consider:
- Evaluation or scoring, including profiling
- Automated decision-making
- Systematic monitoring of individuals
- Processing sensitive data
- Processing data on a large scale
- Matching or combining datasets
- Processing data concerning vulnerable data subjects
- Innovative use or application of technological or organisational solutions
- Data transfer across borders outside the European Union
- When the processing in itself “prevents data subjects from exercising a right or using a service or a contract
The guidelines state that, as a rule of thumb, data processing operations that meet at least two of these criteria will require a DPIA.
How to carry out a DPIA
The guidelines emphasise that a DPIA should be carried out prior to processing, and recommends a “privacy by design” approach – starting early and updating the DPIA throughout the lifecycle of the project – and treating the DPIA as a “continual process, not a one-time exercise”.
A DPIA may be conducted by someone else, but the controller remains ultimately accountable. This also applies when outsourcing the data processing to a service provider.
The organisation must also seek the advice of a data protection officer (DPO), if one has been designated, and, when appropriate, “seek the views of data subjects or their representatives” regarding the processing.
The GDPR does not specify which DPIA process must be followed. There are a number of different established processes within the EU and the guidelines list some examples including the ICO’s PIA code of practice.
Data Protection Impact Assessment (DPIA) Workshop