Under the EU General Data Protection Regulation, data protection impact assessments are required when data processing is “likely to result in a high risk to the rights and freedoms of natural persons.” Exactly what “high risk” entails, however, has been a difficult question to answer. In line with their obligations under Article 35(4), the supervisory authorities of 22 member states submitted draft lists to the European Data Protection Board of what they consider to be DPIA triggers. The EDPB subsequently issued opinions on each of these lists, pursuant to its responsibilities under Article 64(1). By analyzing these opinions and the submitted lists, writes IAPP Senior Westin Fellow Müge Fazlioglu, CIPP/E, CIPP/US, for The Privacy Advisor, organizations now should have a much better picture of what qualifies as “high-risk” processing.
If you want to comment on this post, you need to login.