As organizations scramble to implement alternative data transfer mechanisms and fill in their compliance gaps following the “Schrems II” decision, one important tool remains overlooked: the data protection impact assessment.
Based on the text Article 35 of the EU General Data Protection Regulation and subsequent European Data Protection Board guidance, organizations have typically only conducted impact assessments for processing activities likely to result in a high risk.
Many companies, particularly smaller companies or those that are primarily data processors, don’t often conduct formal DPIAs because their activities don’t fall strictly within the specific EDPB guidance. In the instances when a DPIA is performed, it is almost always conducted by the data controller.
Based on the limited required scope and often misplaced concerns that conducting a DPIA might somehow open up an organization to additional liability (nothing requires an organization to formally report the results if the activities are not considered high risk or likely to cause harm to a data subject’s fundamental rights and freedoms), DPIAs are underused when it comes to building a data privacy program.
However, going forward, DPIAs should be considered beneficial to both controllers and processors for multiple reasons, including determining which alternative transfer mechanisms might be most viable, as well as establishing supplementary measures.
Also, in light of the recent decision, there is an argument that now any processing activity that involves a transfer outside of the European Economic Area could be classified as a “high risk activity” and may eventually become mandatory anyway.
There is no formal method to conducting a DPIA, which should give organizations comfort in delivering templates that work best for their needs as long as it meets the primary goal of demonstrating that you have thoroughly considered any risks (including legal, corporate, civil and reputational) and taken actions to mitigate those risks. Each risk should be mapped to a specific internal control that ensures mitigation techniques are well documented and understood across the organization. There should be separate assessments based on either categories of data or specific products or services. Organizations should also include who (preferably an individual, but can be a specific role) is responsible for either the specific control or for carrying out a plan to further mitigate the identified risk.
Core questions to consider are: Where is data coming from? What entity is sending the data? How is the data collected and on what legal basis? Are EU and U.S. personal data being commingled? Are you transferring data solely based on EU-U.S. Privacy Shield, or were you already using other mechanisms such as consent? Answering these questions should also provide confidence in answering questions you are inevitably getting from customers, users and vendors, and potentially data protection authorities.
The end result of a DPIA aimed at identifying new transfer mechanisms should be to document whether your organization is processing any data that might be at a higher risk for national security or law enforcement surveillance, and if it is, are there any mitigation steps you could take. This will serve to help better identify whether there are some data transfers that are so high risk that the only solution might localize the data or ceasing the transfer or otherwise separate or limit that category of data. For those transfers that are unlikely to be subject to law enforcement scrutiny, you will have a well-documented explanation that should serve as a possible supplementary measure.
The path forward after "Schrems II" will likely remain cloudy for the near future, as even though the U.S. Department of Commerce and EU Commission are working to “evaluate the potential” for an updated data transfer agreement, it will likely take at least one year to produce concrete results. A DPIA is one tool that Privacy Shield participants should rely on more to help provide clarity on data transfers, as well as their overall data protection compliance program.
Photo by Markus Spiske on Unsplash