knowledge | 24 May 2017 |
Data Protection Impact Assessment Guidelines
Following the publication of its guidance on a number of elements of the General Data Protection Regulation (“GDPR”) (the right to data portability, Data Protection Officers, and identifying the lead supervisory authority), the Article 29 Data Protection Working Party (“WP29”) has now published further draft guidelines on Data Protection Impact Assessments. The WP29 is inviting comments on these draft guidelines up to 23 May 2017.
Under Article 35 of the GDPR, a Data Protection Impact Assessment, or “DPIA”, will be required where the processing of personal data is “likely to result in a high risk to the rights and freedoms of natural persons”. These new guidelines seek to clarify, and provide some examples of, the circumstances where a DPIA will be required under the GPDR.
Examples of “high risk” processing
The guidelines suggest some criteria that should be considered in assessing whether the processing of personal data is likely to be considered “high risk”. These include where the processing involves:
- evaluation or scoring, including profiling and predicting, especially relating to an individual’s performance at work, economic situation, credit-worthiness, health etc.;
- “sensitive” data – that is “special” categories of data as defined in Article 9 (broadly corresponding to “sensitive” personal data under current data protection law) and also data such as electronic communication data, location data and financial data;
- data processed on a large scale – “large scale” to be interpreted by reference to matters such as the number of data subjects, volume of data, and the duration/ permanence and geographic extent of the data processing;
- data concerning “vulnerable” data subjects – examples of such persons include employees, children, the mentally ill, asylum seekers, the elderly, patients - any case, according to the WP29, where there is an imbalance in the relationship between the data subject and the controller;
- the innovative use of technology (e.g. combining use of fingerprint and face recognition for improved physical access, control, etc.) or technology involving novel forms of data collection and usage (e.g. certain internet of things applications);
- data transfers outside of the European Union.
The guidelines indicate that, as a rule of thumb, processing involving two of the criteria will be “high risk” and require a DPIA. Processing involving only one criterion may not require a DPIA; however, this will need to be assessed on a case by case basis. As one would expect, in cases where it is not clear if a DPIA is required, the WP29 recommends carrying one out.
Timing of DPIAs
DPIAs will only be required for relevant processing operations initiated on or after 25 May 2018. While the WP29 “strongly recommends” that DPIAs be carried out in relation to existing operations, this is not required unless the processing changes significantly - e.g. where new technology is introduced.
The WP29 emphasises that, consistent with the data protection by design and default principles of the GDPR, a DPIA should be carried out in advance of the relevant processing. The WP29 further recommends that, as a matter of good practice, a DPIA should be continuously carried out on existing processing activities and should be re-assessed every three years (or sooner, depending on the nature of the processing, type of technology, etc.).
Process and methodology
The guidelines include a chart suggesting a process for carrying out a DPIA. However, they also emphasise that data controllers have flexibility under the GDPR to determine the precise nature and form of the DPIA. Helpfully, they clarify that the form of the DPIA can be incorporated within existing practices and risk assessment frameworks (e.g. ISO standards). In this regard, the guidelines also include examples of existing EU DPIA frameworks which can be used, including ones previously published by the French and UK DPAs.
In addition, Annex 2 of the guidelines includes a helpful checklist which data controllers can use to assess whether a DPIA, or the methodology used to carry out a DPIA, is sufficiently comprehensive to comply with the requirements of the GDPR. Many organisations will be starting at this stage to establish the format /methodology for DPIAs in readiness for the (rapidly advancing) May 2018 GDPR deadline, and should find these guidelines helpful.
This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.