Data Protection Impact Assessments – What, When and How?
You’ve just finished presenting an exciting new product idea to your team when your DPO asks whether you’ve thought about completing a DPIA. Your DPO is, of course, referring to a Data Protection Impact Assessment. This is something that must be completed whenever an activity involving the processing of personal data is likely to result in a “high risk” to individuals, as required under Article 35(1) of the General Data Protection Regulation (“GDPR”). Essentially, a DPIA is a process whereby a data controller can systematically identify and minimise the risks of a specific processing activity.
In some cases, carrying out a DPIA is mandatory but in other cases a DPIA can be used as a best practice tool to identify any potential compliance gaps and help meet your accountability obligations under the GDPR. We previously discussed DPIAs before the GDPR came into force. In this article, we take a second look at when a DPIA is required and provide some practical tips you should consider when carrying out this crucial compliance exercise.
If you want to see an overview of the national DPIA “blacklists” (discussed below), read our table summary.
When is a DPIA required?
There are three sources to consider when determining whether you need to carry out a DPIA: the GDPR itself, guidance from the European Data Protection Board (“EDPB”) and the so-called national DPIA “blacklists”. We’ll take a look at each in turn.
- Article 35 of the GDPR
The GDPR itself doesn’t define “high risk” processing but Article 35(3) does set out three scenarios which automatically trigger the need for a DPIA. These are:
- systematic and extensive evaluation of personal aspects of individuals, including profiling, that have a legal effect or similarly significant effect,
- processing of special categories of personal data or criminal record data on a large scale, and
- systematic public monitoring on a large scale.
These scenarios are quite narrow, so assuming they don’t apply in your case you’ll need to consider other guidance on the topic.
- EDPB criteria
Fortunately, the EDPB has published guidelines on determining whether processing is likely to result in a “high risk” under the GDPR (WP 248 rev.01). These include nine criteria that should be considered (the “EDPB criteria”).
Some of the EDPB criteria focus on the type or nature of the data and individuals involved: these include “data processing on a large scale”, the processing of “sensitive data or data of a highly personal nature” and “data concerning vulnerable data subjects”. Other criteria focus on how the data is processed and the methodologies used: these include processing that involves the “systematic monitoring” of individuals, “matching or combining data sets”, “evaluation or scoring” or the use of “new or innovative technological or organisational solutions”. The final two EDPB criteria consider the potential impact to individuals, including if the processing leads to “automatic decision-making” (as per Article 22 of the GDPR) or otherwise “prevents data subjects from exercising a right or using a service or contract”.
According to the guidelines, a DPIA will generally only be required where two or more of the EDPB criteria apply but in some cases a DPIA will be required where only one criterion applies. The EDPB gives particular focus to new technologies (this is also specifically called out in the recitals of the GDPR).
You’ll need to think about how the EDPB criteria apply in the context of your processing activity, taking into account what data you are processing, the types of individuals concerned, the methodologies and technologies involved and the potential outcomes and impact on individuals. For example, a medical company that uses health information to build profiles of patients will likely need to conduct a DPIA as it is processing sensitive data and using that data to evaluate or profile individuals (and potentially using innovative technology to do so). Equally, a manufacturer of a connected toy that collects children’s data would also need to carry out a DPIA because it is using new and innovative technology and processing information about vulnerable data subjects (and potentially monitoring children’s behaviour as well).
The EDPB’s guidelines may give you a good idea of whether you’ll need to carry out a DPIA or not, but they aren’t the only guidance you should consider.
- National DPIA “blacklists”…