The Article 29 Working Party (“WP29“) has recently adopted new General Data Protection Regulation (“GDPR“) Guidance, this time focusing on Data Protection Impact Assessments (“DPIAs“). The Guidelines aim to clarify when a DPIA is required and provide criteria for the lists of the kind of processing operations which are subject to the requirement for a DPIA, to be adopted by Data Protection Authorities under Article 35(4) of the GDPR.
Although the guidance has been formally “adopted”, the WP29 is welcoming comments from stakeholders until 23 May 2017, so it is possible that elements may be modified in the near future. The guidance is significant as it represents EU data protection authorities’ collective interpretation of this important new compliance requirement.
Any comments on the guidelines can be sent to the following addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and email@example.com by 23 May 2017.
What is a Data Protection Impact Assessment?
DPIAs are not a formal requirement of the current regime, but are already strongly encouraged by the Information Commissioner as a way to demonstrate compliance (see the ICO Guidance from 2014 here), a DPIA is a process designed to:
- describe the processing;
- assess the necessity and proportionality of the processing;
- help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data.
It is a key part of complying with the GDPR, in particular the basic responsibilities of data controllers outlined in Article 24(1), where “high risk” processing is planned or is taking place.
Are DPIAs mandatory for all processing?
Consistent with the risk-based approached embodied by the GDPR, carrying out a DPIA is not mandatory for every processing operation. Article 35(1) of the GDPR states that a DPIA is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons”.
What are the penalties for non-compliance?
Under the GDPR, non-compliance with DPIA requirements (whether failing to do one or not doing one properly) can lead to fines imposed by the relevant data protection authority of up to 10M€, or up to 2 % of the total worldwide annual turnover, whichever is higher. It is important therefore that companies carefully prepare their DPIA processes.
When is processing considered high risk, triggering the need for a DPIA?
Building on the criteria outlined in Article 35(3) of the GDPR, the Guidelines identify the following factors to be considered when determining whether processing is to be considered “high risk”:
- evaluation or scoring, including profiling and predicting;
- automated-decision making with legal or similar significant effect;
- systematic monitoring ;
- sensitive data;
- data processed on a large scale;
- datasets that have been matched or combined;
- data concerning vulnerable data subjects;
- innovative use or applying technological or organisational solutions;
- data transfer across borders outside the European Union;
- when the processing in itself “prevents data subjects from exercising a right or using a service or a contract”.
The Guidelines state that, as a rule of thumb, a processing operation meeting less than two criteria may not require a DPIA due to the lower level of risk, and processing operations which meet at least two of these criteria will require a DPIA. If a data controller believes that despite the fact that the processing meets at least two criteria, it is considered not to be “likely high risk”, he/she has to thoroughly document the reasons for not carrying out a DPIA.
Does the DPIA requirement extend to processing carried out before the GDPR go-live date, 25 May 2018?
The Guidelines state that the requirement to carry out a DPIA applies to processing operations meeting the criteria in Article 35, and initiated after the GPDR implementation date. However, the WP29 strongly recommends retrospective DPIAs for processing already underway pre May 2018.
How often should DPIAs be carried out?
As a matter of good practice, the WP29 encourages data controllers to continuously carry out a DPIA on existing processing activities and a re-assessment every three years.
Who is obliged to carry out the DPIA?
As per Article 35(2) of the GDPR, the controller is ultimately responsible for ensuring that the DPIA is carried out. Where designated, the controller must also seek the advice of the Data Protection Officer. If the processing is wholly or partly performed by a data processor, the processor should assist the controller in carrying out the DPIA and provide any necessary information.
Further, the controller must “seek the views of data subjects or their representatives” (Article 35(9)), “where appropriate”. The WP29 considers that:
- those views could be sought through a variety of means, depending on the context (e.g. an internal or external study);
- if the data controller’s final decision differs from the views of the data subjects, its reasons for going ahead or not should be documented;
- the controller should also document its justification for not seeking the views of data subjects, if it decides that this is not appropriate.
Should the DPIA be published?
Though not a legal requirement of the GDPR, the WP29 encourages data controllers to consider publishing their DPIA, at least in part. They suggest that this will help to foster trust in the controller’s processing operations, and demonstrate accountability and transparency. Further, should a DPIA be published, it does not need to present the whole assessment, especially when it could give away commercially sensitive information.
Interested parties who have comments on the guidelines have until 23 May 2017 to make their views known to the WP29. In the coming weeks, WP29 plans to publish further guidance on Certification. Datonomy will continue to bring you updates on all GDPR guidance as and when it is released.