The most recent document provided by the Article 29 Working Party (29 WP) provides guidelines for further comprehension on when and how to conduct a DPIA. The main goal of a DPIA is to:

“describe the processing, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data[1]

Through the use and application of DPIAs, the controller ensures that they are in compliance with their responsibilities as established under the new regulation[2].

DPIA for single processing operations or a set of familiar operations?

A DPIA can be done for multiple processing operations that after evaluating their nature, scope, context and purpose, create a similar risk[3]. Whenever there are joint controllers, the DPIA must define which controller is responsible for the measures implemented for the processing, in order to ensure the protection of the data subjects. Every time a technology product[4] is being used by several data controllers for processing, then a DPIA must be provided by the manufacturer, and, depending on the content, it may be necessary for the “user controller” to carry out another DPIA for the specific activity. This will depend upon the processing, and if it is included in the manufacturers DPIA or not. Meaning, each controller must define the extent of their processing activities and describe the measures applied in their DPIA.

Which processing operations are subject to a DPIA?

A DPIA needs to be performed whenever the processing of personal data could result in a “high risk” for the data subjects’ right to privacy, however, there is no clear definition of what this risk involves. The WP has made an attempt to define this concept as follows:

The GDPR states in article 35(3) the cases in which a DPIA must be performed and it leaves the option open for other operations to be included within the scope of this article. Nonetheless, several criteria are introduced in order to determine the level of risk for a processing operation. Whenever a processing operation meets at least two of the following criteria, a DPIA must be performed as a rule of thumb:

  1. Evaluation or scoring.
  2. Automated-decision making with legal or similar significant effect.
  3. Systematic monitoring
  4. Sensitive Data
  5. Data processed on a large scale.
  6. Datasets have been matched or combined.
  7. Data concerning vulnerable data subjects.
  8. Innovative use or applying technological or organizational solutions.
  9. Data transfer across borders outside the European Union.
  10. When the processing in itself “prevents data subjects from exercising a right or using a service or contract.”

Even though a processing operation may involve only one of the criteria, it may be required to carry out a DPIA since it creates a level of high risk. When the processing operation complies with two or more criteria, but doesn’t create a high risk, then a DPIA may not need to be carried out. However, the reason has to be documented.

While the intent of describing the criteria is to define the term “high risk”, some of these criteria, for example “Data processed on a large scale “, still remain unclear. The ambiguity of these criteria provides a gateway for determining that most processing operations will require a DPIA.

When is a DPIA not required?

  1. Where the processing is not likely to result in a high risk to the rights and freedoms of natural persons[5].
  2. When the nature, scope, context and purposes of the processing are very similar to a processing in which a DPIA has already been carried out.
  3. When a processing operation has legal basis in EU or Member State law and these have stated that an initial DPIA does not have to be applied.
  4. Where the law regulates the specific processing operation.
  5. When a DPIA has already been carried out in the establishment of legal basis under the GDPR[6].
  6. If the processing operation is included in the list by the Supervisory Authority of processing operations that do not require a DPIA[7].

The document mentions that a DPIA needs to be carried out every 3 years or if the processing situation changes. For operations that began before May 2018, a DPIA is recommended to be carried out as soon as possible. A DPIA may be revised whenever the technological base changes or the societal background of the processing activity changes[8].

How to carry out a DPIA?

The DPIA should be carried out before the processing of the data commences, and as early as the design process of the processing operation. This way, the DPIA may evolve with the project and guarantee that data protection and privacy are being considered for compliance. In some cases, the DPIA may need to be updated when the processing takes place due to possible changes in the processing operations or technology being applied.

Who must carry out a DPIA?

Ultimately responsible for the DPIA is the data controller, who may request the assistance of the DPO, in which case this must be documented in the DPIA, and that of the processor.

What is the methodology of a DPIA?

While there a several approaches to conduct a DPIA, it is advisable to   use a method that complies with the list provided in Annex 2 of the 17/EN WP 248.

The GDPR serves as a general framework in order to determine the methodology of a DPIA[9]:

  1. a description of the envisaged processing operations and the purposes of the processing”;
  2. “an assessment of the necessity and proportionality of the processing”;
  3. “an assessment of the risks to the rights and freedoms of data subjects”;
  4. “the measures envisaged to:
    • “address the risks”;
    • “demonstrate compliance with this Regulation”.

Furthermore, the compliance to a code of conduct should be included, where applicable, as this might ensure that adequate measures have been applied to the processing operation.

Other components that must be addressed in the DPIA are those referring to risk management in accordance to recital 90 of the GDPR:

  1. Establishing the context: “taking into account the nature, scope, context and purposes of the processing and the sources of the risk”;
  2. Assessing the risks: “assess the particular likelihood and severity of the high risk”;
  3. Treating the risks: “mitigating that risk” and “ensuring the protection of personal data”, and “demonstrating compliance with this Regulation”.

In the absence of further specifications provided under the GDPR, a DPIA that includes the forementioned general criteria should be compliant with the Regulation and serve as a proper assessment of the risks involved.

Should a DPIA be published?

Although it is not a requirement under the GDPR, the 29 WP suggests that the data controller may consider publishing fully or in part the DPIAs as this will generate trust in its operations. Nevertheless, whenever prior consultation by the authority is necessary, then the DPIA must be provided.

No Definite Guidelines

The publishing of these criteria for the DPIA serves as a guideline for data controllers and processors in order to apply the proper DPIA whenever required. Nevertheless, there is a certain ambiguity in the limits and standards within some of these criteria that suggest a broad scope of application. This may lead to the application of a DPIA to most cases when data processing operations take place. Since there are (still) no definite guidelines for the standardization of a DPIA, a proper evaluation of the application of the criteria within Annex 2 should take place in order to determine if a DPIA complies with these requirements.

 

[1] 17/EN WP 248 Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679

[2] Article 24 of the GDPR.

[3] Example provided by 17/EN/WP 248 where a railway operator (one controller) wants to cover video surveillance in all its train stations with only one PIA.

[4] Hardware or software.

[5] Article 35(1) GDPR.

[6] Article 35 (10) GDPR.

[7] Article 35 (5) GDPR.

[8] For example, when data is transferred to a country that has left the EU.

[9] Article 35(7), and recitals 84 and 90 GDPR.