As the deadline for complying to GDPR looms, many in-house lawyers are asking “Do I need to conduct a DPIA?”.
Art. 35 GDPR introduces the data-protection impact assessment (DPIA) as a new instrument in your data protection toolkit. A DPIA serves to identify and evaluate risks within an organisations processes and systems, in order to keep the privacy of data subjects safe and determine the level to which the GDPR articles have been implemented.
In this post, we’ll explore the grounds for conducting a DPIA, what the requirements are and finally, what the legal department needs to do to ensure the legal GDPR requirements are met.
Do I need to conduct a DPIA?
Pursuant to Art. 35 (1) GDPR, a DPIA should generally always be carried out where a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons due to the nature, scope, context and purposes of the processing. From a legal perspective, “high risk” is likely to apply when the extent and frequency of the proposed technology, project, activity or process adversely affects or interferes with the data protection rights of data subjects under the GDPR.
When determining whether the processing is likely to result in high risk, the Article 29 Data Protection Working Party guidelines offer the following criteria to consider:
- Are you doing evaluation or scoring (including profiling and predicting) of aspects specific to the data subject?
- Does the processing involve automated decision making that produces a significant effect on the data subject?
- Are you performing systematic monitoring of data subjects, including in a publicly accessible area?
- Does the processing involve sensitive data (special categories of data as defined in Article 9 and data regarding criminal offences)?
- Is the data being processed on a large scale?
- Have datasets been matched or combined?
- Does the data concern vulnerable data subjects (as laid out in Recital 75)?
- Is this an innovative use or does it apply technological or organizational solutions (for example, combining the use of fingerprint and facial recognition)?
- Are you transferring data outside the European Union?
- Will the processing itself prevent data subjects from exercising a right or using a service or a contract?
What are my obligations?
The DPIA should be carried out “prior to the processing” (Articles 35(1) and 35(10), recitals 90 and 93), which is consistent with data protection by design and by default principles (Article 25 and recital 78) that seeks to change how organisations think about data protection.
Art. 35 (3) GDPR gives some examples of where a DPIA is required:
- a systematic and extensive evaluation of personal aspects relating to natural persons which are based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of personal data or of data relating to criminal convictions and offences;
- systematic monitoring of publicly accessible areas on a large scale.
Art. 35 (7) GDPR defines minimum requirements for the content of a data protection impact assessment:
- a systematic description of the envisaged processing operations and purposes of the processing, including, where applicable, the legitimate interests of the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects;
- the measures envisaged addressing the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR.
Some of these DPIA requirements differ from a traditional privacy impact assessment (PIA), which have been advocated as a best practice for some time, so it is not completely safe to assume that if you’ve done a PIA in the past year that you have met all the GDPR requirements for a DPIA. In fact, when implementing a data protection impact assessment, advice must also be sought from the data protection officer (if one has been appointed) (Art. 35 (2) GDPR) in an effort to ensure that all the specific and important GDPR requirements are met.
What does the legal department need to do?
While conducting a DPIA is an obligation to meet GDPR legal requirements, it is not an activity that the legal department can do alone. The get the detailed answers about data processes and systems, and what GDPR requirements you have accomplished, the legal department will need to involve key stakeholders in IT, information security and privacy.
The GDPR does not specify which DPIA process must be followed but instead allows for data controllers to introduce a framework which complements their existing working practices provided it takes account of the components described in Article 35(7). A list of DPIA methodologies can be found here (see Annex 1) and the criteria which data controllers can use to assess whether or not a DPIA, or a methodology to carry out a DPIA, is sufficiently comprehensive to comply with the GDPR can be found here (see Annex 2).
Ultimately, the controller is responsible and accountable to ensure that the DPIA is carried out (Article 35(2)), whether it is carried out by someone else, inside or outside the organisation. Many companies may worry that consulting with a competent supervisory board may lead to increased bureaucracy and therefore higher costs; however, it’s important to remember that companies cannot get out of this obligation. The better and the earlier you prepare yourselves, using suitable technologies to support you in analysing, optimising and documenting all relevant data-protection processes, the less of an (additional) burden this will be to your business. Professional data protection risk management will simplify your decisions on necessary countermeasures and reporting duties to data protection authorities.