The Article 29 Working Party has published this week its “last revised” guidelines on data protection impact assessments and determining whether processing is “likely to result in a high risk” for the purposes of the GDPR. The DPIA is a “process” that, according to GDPR Article 35, at a minimum, systematically describes an organization’s processing operations and their purposes and assesses their necessity and proportionality, the risks they present to the rights and freedoms of data subjects, and the measures, safeguards, and mechanisms intended to address risks, so as “to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.”
When the WP29 released its proposed guidelines on the DPIA requirements in April, former IAPP Westin Fellow Callie Schroeder analyzed the key issues within the initial guidelines. While these key issues remain highly relevant and there are no major deviations from them, it’s worth noting some of the minor changes, deletions, and additions.
Emphasis on the risk-based approach to data protection and risk management
The relevancy of risk-based approaches to data protection and risk management as an underlying approach in the use of DPIAs is front and center in the revised text. A critical note that was added on this issue is that “obligation for controllers to conduct a DPIA in certain circumstances should be understood against the background of their general obligation to appropriately manage risks presented by the processing of personal data.” This encourages companies to think of DPIAs as a tool in their toolbox of risk management techniques.
Slight changes to the criteria to be considered
Under the GDPR, conducting DPIAs is required if the data processing is “likely to result in high risks.” Although the GDPR provides examples of data processing operations that would fall into this category, both versions of the Guidelines mention that this is a “non-exhaustive list.” Recognizing this, Working Party offers almost all the same criteria to be considered when determining whether an operation may “likely to result in a high risk,” albeit with minor revisions. These criteria include:
- “Evaluation or scoring (including profiling and predicting).”
- “Automated decision making with legal or similar significant effect.”
- “Systematic monitoring.”
- “Sensitive data or data of a highly personal nature.”
- “Data processed on a large scale.”
- “Matching or combining data sets.”
- “Data concerning vulnerable data subjects.”
- Innovative use or applying new technological or organizational solutions.”
- “[W]hen the processing (prevents data subjects from exercising a right or using a service or a contract.”
One of the criteria for determining whether processing is likely to result in high risk that was listed in the previous version of the guidelines, “data transfer across borders outside the European Union,” was removed. However, the revised guidelines keep the reference to international transfers as something that may require the conduct of a DPIA if it results in “a change of the risks.” In addition, Annex 2 contains language on the issue of assessing necessity and proportionality that indicates that measures contributing to the rights of the data subjects, such as safeguards surrounding international transfers, are to be considered.
The Article 29 Working Party also added the language of “data of a highly personal nature” next to sensitive data. Although it does not provide a new definition of sensitive data, this refinement might be helpful when assessing the different types information that may be considered likely to result in high risk when processing.
Additional examples and specifications
The revised guidelines expanded the possible relevant criteria in the examples given for processing, which may be useful for companies. One new example added is data processing by “an institution creating a national level credit rating or fraud database.” A DPIA would be required when one or more of the possible relevant criteria apply.
Lastly, the revised guidelines reiterated the importance of ensuring that DPIAs are “continuously reviewed” and “regularly reassessed.” Conducting DPIAs should not be seen only as a method of compliance, but at the heart of a company’s data protection activities. Therefore, it should be remembered that carrying out DPIAs is “a continual process, not a one-time exercise.”
Photo credit: DesignRecipe European Union Flags 2 via photopin (license)