Among the new requirements of the European Union’s General Data Protection Regulation are the mandatory data protection impact assessments enshrined in Article 35. DPIAs are designed to evaluate processing practices, assess the necessity and proportionality of processing, and assist in managing risks to data subjects — essentially, to measure and demonstrate compliance with the GDPR. The penalties for non-compliance in fulfilling DPIA requirements are severe. Violations can result in administrative fines of up to 10 million euros or up to 2 percent of the organization’s total worldwide annual turnover for the preceding financial year.

On April 4, 2017, the Article 29 Data Protection Working Party released proposed guidelines for the GDPR’s DPIA requirements, which are open to public comment through May 23, 2017, by emailing presidenceg29@cnil.fr. The guidelines seek to clarify how DPIAs will function and when they are necessary.

Below are the key takeaways for data processors in understanding the newly proposed DPIA guidelines:

What does a DPIA address?

A single DPIA may address either a single data processing operation or multiple processing operations if they are similar in terms of risk, nature, scope, context, and purpose. One example of this would be a railway operator using one DPIA to cover video surveillance in all of its train stations. In this case, a single controller is using the same or similar technology for the same purpose in multiple locations. If a processing operation involves joint controllers, the DPIA must precisely set out which controller is responsible for each part of the processing operation.

Which processing operations are subject to a DPIA?

A DPIA is mandatory if the processing operation is “likely to result in a high risk to the rights and freedoms of natural persons.” When determining whether processing is likely to result in high risk, the guidelines offer the following criteria to consider:

  • Are you doing evaluation or scoring (including profiling and predicting) of aspects specific to the data subject?
  • Does the processing involve automated decision making that produces significant effect on the data subject?
  • Are you performing systematic monitoring of data subjects, including in a publicly accessible area?
  • Does the processing involve sensitive data (special categories of data as defined in Article 9 and data regarding criminal offences)?
  • Is the data being processed on a large scale?
  • Have datasets been matched or combined?
  • Does the data concern vulnerable data subjects (as laid out in Recital 75)?
  • Is this an innovative use or does it apply technological or organizational solutions (for example, combining use of finger print and facial recognition)?
  • Are you transferring data outside the European Union?
  • Will the processing itself prevent data subjects from exercising a right or using a service or a contract?

The guidelines offer a general rule of thumb that processing operations meeting at least two of these criteria will require a DPIA. However, a processing operation meeting only one criterion may require a DPIA depending on the circumstance. The guidelines also recommend using a DPIA when a processing operation is using new data processing technology. If in doubt over whether a DPIA is required, err on the side of caution and carry out a DPIA. Processors and controllers should note that if a processing operation is deemed “high risk” enough to warrant a DPIA, it must also fulfill the high risk obligations found in Article 36 (consulting the relevant supervisory authority before conducting the processing) and Article 34 (notifying individuals of personal data breaches).

A DPIA is not required when processing is not “likely to result in a high risk,” has already been authorized in a very similar processing, has a legal basis in EU or Member State law, or where the processing is included on the optional list established by the supervisory authority of exempted processing operations.

The DPIA requirement will apply to processing operations initiated after May 25, 2018. The Working Party strongly recommends carrying out DPIAs for processing operations that start prior to May 25, 2018, that are still in progress at that date, especially if the processing has incorporated a new technology or changed in purpose, risk, context, or source.

How to carry out a DPIA

A DPIA should be carried out prior to the actual processing. While the DPIA may be carried out by another party, the controller maintains accountability for assuring that the requirement is satisfied. The controller should consult with the Data Protection Officer (DPO) and incorporate the DPO’s advice into the DPIA. If a data processor performs all or part of the processing, the processor should also assist with the DPIA. Where appropriate, a controller should seek the views of data subjects regarding processing as well. The guidelines state that the controller should document its reasons for not seeking the views of data subjects if it deems such action not appropriate. However, the guidelines offer no guidance to determine when seeking data subjects’ views is or is not appropriate.

A DPIA must include, at minimum, four features:

  • A description of the proposed processing operation and its purpose.
  • An assessment of the processing’s necessity and proportionality.
  • An assessment of risks to data subjects.
  • Measures to address the risks and demonstrate compliance with the GDPR.

In addition, the DPIA must look at compliance with any applicable codes of conduct.

Though all of these components are necessary, the exact form and structure of each DPIA is left flexible in order to fit within each controller’s existing structure and practices. In all forms, the DPIA serves as a genuine assessment of risks and a tool for addressing those risks. The guidelines include annexes with examples of frameworks and criteria for an acceptable DPIA. The WP29 also encourages the development of sector-specific DPIA frameworks to better address particular types of processing operations.

While publishing a DPIA is not legally required, the guidelines strongly urge controllers to consider publishing all or part of their DPIAs to help foster trust in the processing operations and demonstrate transparency. This is particularly useful in cases where members of the public are affected by the processing operation, such as when public authorities carry out DPIAs. 

Consult supervisory authority if residual risks are high

In a circumstance where a DPIA identifies risks that cannot be sufficiently mitigated by the data controller, the data controller must consult the supervisory authority. This includes a situation where data subjects may encounter significant or irreversible consequences from the processing or when it seems obvious that the risk will occur. Controllers must also consult the supervisory authority when the Member State law mandates consultation for performance of a task carried out in the public interest. Requirements to retain records of the DPIA and update the DPIA still apply in these cases.

Conclusion

DPIAs serve to facilitate compliance with the GDPR. The WP29's proposed guidelines shed light on how controllers can prepare to implement DPIAs into their processing operations. These assessments are particularly important whenever high-risk data is processed. The guidelines therefore also help controllers and processors understand which situations present a “high risk” under the GDPR, which will be useful for construing many of the regulation’s key risk-based provisions.