The General Data Protection Regulation (Regulation n°2016/679, GDPR) will come into effect on May 25th, 2018. Amongst the numerous obligations and requirements of the Regulation figures the carrying out of a Data Protection Impact Assessment (DPIA).
Under article 35 of the GDPR a data controller shall carry out a DPIA when the processing “is likely to result in a high risk to the rights and freedoms of natural persons”. This risk is evaluated according to the nature, scope, context and purposes of the processing.
A data controller must carry out a DPIA prior to the implementation of the processing activities. However, a DPIA may be required for existing operations, even if they have been previously checked by a supervisory authority, if the conditions of implementation have changed (ex: different scope or purpose, change in the personal data collected…). In this context, the DPIA is a continual process and updates may be necessary.
Furthermore, a DPIA may address a single processing operation or a set of similar processing operations, whether carried out by a single controller or several, that present similar high risks. The Article 29 Working Party (WP29) recommends that a reference DPIA be shared or made publicly accessible and that a justification for conducting a single DPIA should be provided. This measure aims at simplifying the obligation to carry out a DPIA and at avoiding a proliferation on DPA for similar processing activities.
The WP29 clarified the obligations and roles when performing a DPIA in its guidelines on Data Protection Impact Assessment and determining whether processing is “likely to result in a high risk” for the purpose of Regulation 2016/679on October 4th, 2017.
Mathias Avocats examines the WP29’s guidelines and stresses certain key points.
When is DPIA mandatory?
As previously stated, a DPIA must be carried out when the processing is “likely to result in a high risk”. The European institutions have identified three non-limitative situations in which a DPIA is required (article 35, 3° of the GDPR): (1) an automated processing of personal aspects relating to the data subject which have legal effects on him or her or similarly significantly affect him or her, (2) processing on a large scale of sensitive data or of personal data relating to criminal convictions and offences or, (3) a systematic monitoring of a publicly accessible area on a large scale.
However, the GDPR only provides limited guidance regarding what these situations imply. For example, when should processing activities be considered on a large scale? Or systematic?
The WP29 has pinpointed nine criteria which should be considered when determining whether a DPIA is required. Here are some examples:
- Evaluation or scoring, including profiling (ex: financial institution that screens its customers against a credit reference database);
- Sensitive data or data of a highly personal nature, recital 75 provides examples of such data (ethnic origins, religion, genetic data…);
- Data processed on a large scale, the following factors should be considered: the number of data subjects concerned, the volume of data and/or the range of different data items being processed; the duration of the data processing activity and the geographical extent of the processing activity;
- Matching or combining datasets (ex: two or more processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject);
- Data concerning vulnerable data subjects (ex: children, employees, asylum seekers…), this
- Innovative use or applying new technological or organizational solutions (recital 91), considering the fact that new technology may involve novel forms of data collection and usage (ex: connected objects);
- When the processing itself “prevents data subjects from exercising a right or using a service or contract”, including processing operations that aim at allowing, modifying or refusing data subjects’ access to a service or entry into a contract (ex: bank screens its customers against a credit reference database in order to decide whether to offer them a loan).
If the processing meets two or more criteria, it requires a DPIA. These criteria have a wide-ranging scope. In practice, most data controllers, whether considerable or small companies, will have to carry out a DPIA.
Although this may seem overwhelming, WP29 provides a simple figure illustrating the process in its guidelines.
Who carries out a DPIA?
- The data controller…
It must be stressed that the controller is responsible for ensuring that a DPIA is carried out and he or she remains ultimately accountable.
If joint controllers are involved in the processing operation, the WP29 recommends that the DPIA should set out which party is responsible for the various measures designed to address the risks. Each controller should express his or her needs and share useful information without compromising secrets or disclosing vulnerabilities.
- …in a collaborative process
The data controller is not the sole actor. Indeed, if a Data Protection Officer (DPO) has been designated, his or her advice must be sought when carrying out the DPIA (article 35, 2° of the GDPR). Moreover, the DPO must also monitor the DPIA’s performance (article 39, 1° c) of the GDPR). The data processor must also assist the data controller and provide any necessary information (article 28, 3°, f) of the GDPR).
Therefore, the DPIA is a collaborative process.
The supervisory authority may also be consulted prior to processing where “a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk” (article 36 of the GDPR). If such is the case, the supervisory authority shall provide written advice to the data controller.
Finally, where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing.
What are the next steps?
A data controller should already be considering a method to carry out a DPIA and be evaluating the existing processing activities to determine whether an assessment will be necessary. Annex 2 of WP29’s guidelines draws a list of criteria allowing the data controller to determine whether the DPIA or the methodology used complies with the GDPR.
The French supervisory authority (Commission Nationale de l’Informatique et des Libertés, Cnil) also published an infography detailing the steps to be taken. Other supervisory authorities have also taken steps to help data controllers. For example, the Swiss Federal Data Protection and Information Commissioner provides a questionnaire which enables the data controller to anticipate the risks early on in the development of his or her project.
Mathias Avocats will keep you informed of any further developments.