knowledge | 24 May 2017 |

Data Protection Impact Assessment Guidelines

Following the publication of its guidance on a number of elements of the General Data Protection Regulation (“GDPR”) (the right to data portability, Data  Protection Officers, and  identifying the  lead supervisory authority), the Article 29 Data Protection Working Party (“WP29”) has now published further draft guidelines on Data  Protection Impact Assessments. The  WP29 is inviting comments on these draft guidelines up to 23 May 2017.

Under Article 35 of the GDPR, a Data Protection Impact Assessment, or “DPIA”, will be required where the processing of personal  data  is  “likely  to  result  in  a  high risk to the rights and freedoms of natural persons”. These new guidelines seek  to clarify,  and  provide  some  examples  of, the circumstances where a DPIA will be required  under  the GPDR.

Examples of “high risk” processing

The guidelines suggest some criteria that should be considered in assessing whether the processing of personal data is likely to  be considered “high risk”. These  include where  the  processing involves:

  • evaluation or scoring, including profiling and  predicting,  especially  relating to an individual’s performance at work, economic situation, credit-worthiness, health  etc.;
  • “sensitive” data – that is “special” categories of data as defined in Article 9 (broadly corresponding to “sensitive” personal data under current data protection law) and also data such as electronic communication data, location data  and  financial data;
  • data processed on a large scale“large scale” to be interpreted by reference to matters such as the  number  of  data  subjects, volume of data, and the duration/ permanence and geographic extent of the data  processing;
  • data  concerning  “vulnerable”  data subjects examples of such persons include employees, children, the mentally ill, asylum  seekers,  the  elderly,  patients  - any case, according to the WP29, where there is an imbalance in the relationship between the data subject and the controller;
  • the innovative use of technology (e.g. combining use of fingerprint and face recognition for improved physical access, control,  etc.)  or  technology  involving novel forms of data collection and usage (e.g. certain internet of things applications);
  • data transfers outside of the European Union.

The guidelines indicate that, as a rule of thumb, processing involving two of the criteria will be “high risk” and require a  DPIA. Processing  involving  only  one  criterion may not require a DPIA; however, this will need  to  be  assessed  on  a  case  by case basis. As one would expect, in  cases where it is not clear if a DPIA is required,  the WP29 recommends carrying one out.

Timing of DPIAs

DPIAs will only be required for relevant processing  operations  initiated  on  or  after 25 May 2018. While the WP29 “strongly recommends” that DPIAs be carried out in relation to existing operations, this is not required unless the processing changes significantly - e.g. where new technology is introduced.

The WP29 emphasises that, consistent with the data protection by design and default principles of the GDPR, a DPIA should be carried out in advance of the relevant processing. The WP29 further recommends that, as a matter of good practice,  a  DPIA should be continuously  carried  out  on existing  processing  activities  and should be re-assessed every three years (or sooner, depending on the nature of the processing, type of technology, etc.).

Process  and  methodology

The guidelines include a chart suggesting   a process for carrying out a DPIA.  However, they also emphasise that data controllers  have  flexibility  under  the GDPR  to  determine  the  precise  nature and form of  the  DPIA.  Helpfully,  they clarify that the form of the DPIA can be incorporated  within  existing  practices and risk assessment frameworks (e.g. ISO standards).  In  this  regard,  the guidelines also include examples of existing EU DPIA frameworks which can be used, including ones previously  published  by  the  French and  UK DPAs.

In addition, Annex  2  of  the  guidelines includes a helpful checklist which data controllers  can  use  to  assess  whether  a DPIA, or the methodology used to carry out    a DPIA, is sufficiently comprehensive to comply with the requirements of the GDPR. Many organisations will be starting at this stage to establish the  format  /methodology for DPIAs in readiness for the (rapidly advancing) May 2018 GDPR deadline, and should  find  these  guidelines helpful.

This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.

Key contacts