When to perform a Data Protection Impact Assessment?

Written by Yung Shin Van Der Sype and Michiel Sudnik, CITIP - KU LEUVEN

The General Data Protection Regulation (Regulation 2016/679) (GDPR) was adopted on 4 April 2017 and will apply from 25 May 2018. Article 35 of Regulation 2016/679 requires data controllers to perform a Data Protection Impact Assessment (DPIA), when the processing is “likely to result in a high risk to the rights and freedoms of natural persons”. 

To clarify this new GDPR requirement, the Article 29 Working Party recently released a document with guidelines on DPIAs.

(The Article 29 WP, WP258, 4 April 2017).

 

Data Protection Impact Assessment: A new requirement

Under Directive 95/46/EC, data controllers were obliged to notify the processing of personal data to the supervisory authorities. This notification obligation was abolished in the new GDPR, and was replaced by other mechanisms which are to prove to be effective procedures and mechanisms which focus on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons. One of these new mechanisms is called the Data Protection Impact Assessment.

In order to assess the severity of high data protection risks, the data controller needs to carry out a DPIA prior to the processing.

 

When is a Data Protection Impact Assessment necessary?

Article 35 (1) of the GDPR requires a DPIA only when a processing is “likely to result in a high risk to the rights and freedoms of natural persons”. This is, for example, the case when new technologies are used for a processing operation and the processing is likely to have a high risk of breaching the rights and freedoms of natural persons.

Article 35 (3) provides a non-exhaustive list of circumstances for which the data controller is required to perform a DPIA. This is a limited list and other circumstances could equally require a preliminary assessment of the risks of the processing operation.  The Article 29 WP now clarifies the indicators of high risk.

For the Article 29 WP, a situation only requires a DPIA, if it covers up more than two criteria. Nonetheless this is not an absolute rule, because it is also possible that in a certain situation, one criterion is dominant enough to require a DPIA.

 

Indicators of high risk

In order to determine whether a DPIA is necessary, due to the inherent high risk of the processing operation, the following criteria should be considered:

  1. 1) Evaluation or scoring:
    The risk of the processing operation is high, when there is a situation of evaluation or scoring and this because of the processing of “aspects concerning the data subject’s performance at work, health, economic situation, personal preferences or interests, reliability of behaviour, location or movements” (recitals 71 and 91). This is for example the case for a processing operation in which private companies generating profiles for contract directories use public social media profiles data.

  2. 2) Automated-decision making with legal or similar significant effects: Automated-decisions have legal or similar significant effects on individuals, therefore they constitute a high risk for these individuals. This is for example the case in a process that leads to discrimination against individuals.

  3. 3) Systematic monitoring:
    In a situation of systematic monitoring where there is “a systematic monitoring of a publicly accessible area”, the risk of the processing operation is high. This is for example the case in which a company monitored its employees’ activities; including the monitoring of the employees’ workstation, Internet activity, etc.


  4. 4) Processing sensitive data:
    This is for example applicable in a situation in which a hospital processes its patients’ genetic and health data.


  5. 5) Data processed on a large scale:
    The Article 29 WP recommends that a few factors have to be considered when determining whether the processing is carried out on a large scale. This is applicable to the same example of criteria 1.


  6. 6) Datasets matched or combined:
    This is applicable in a situation where two or more data processing operations are performed for different purposes.
    A DPIA is not required when the nature, scope, context and purposes of the processing are very similar to a processing operation for which a DPIA has been carried out. In this case the results of the DPIA for similar processing can be used.


  7. 7) Data concerning vulnerable data subjects:
    This type of processing can require a DPIA, because of the imbalance between the data subject and the data controller.
    This criterion could also be applied in the situation that a hospital processes its patients’ genetic and health data.


  8. 8) Applying technological or organisational solution:
    The use of a new technology can create the need to carry out a DPIA. It can involve forms of data collection and usage with a high risk to individuals’ rights and freedoms and this because of the innovation in technology. This innovation brings development, but the personal and social consequences are unknown.
    The “Internet of Things” and its applications can have an impact on individuals and could result in a high risk to the rights and freedoms of natural persons.


  9. 9) Data transfer across borders outside the European Union:
    DPIA is not required where a processing operation has a legal basis in the EU-law and has stated that DPIA does not have to be carried out.
    This condition is not applicable, when data is transferring across borders outside the European Union. In this situation DPIA is required because of the application of international law.


  10. 10) When the processing prevents that data subjects can exercise a right or use a service/contract:
    This criterion is for example applicable when a bank screens its customers against a credit reference database in order to decide whether to offer them a loan.

 

And now?

The requirement to carry out a DPIA applies to processing operations meeting the criteria in Article 35 and will be initiated after the GDPR becomes applicable on 25 May 2018. The Article 29 Working Party recommends carrying out DPIAs for high risk processing operations already underway, prior to the initiation in May 2018.

Thus, buckle up: It is better to act now and to make use of a DPIA where necessary.

 

by Yung Shin Van Der Sype and Michiel Sudnik, CITIP - KU LEUVEN

 




This project has received funding from the European Union’s Horizon 2020 Research and Innovation programme, under grant agreement No. 653618