Data protection impact assessments (DPIA) have been getting a lot of attention lately thanks to the upcoming EU General Data Protection Regulation (GDPR). For the first time, the GDPR introduces mandatory DPIAs “where a type of processing . . . is likely to result in a high risk to the rights and freedoms of natural persons.”1 While this seems straightforward, there are specific requirements for what must be included in a DPIA and in how to conduct the process of carrying one out — a common pitfall being that organizations will take their pre-existing approach to the DPIA and assume that it already meets GDPR requirements, without first digging into what those requirements actually are.
What is a DPIA?
Generally speaking, a DPIA is an assessment used by an organization to identify and reduce risks to privacy and data protection. While the GDPR provides data controllers with flexibility in determining the precise structure and form of the DPIA, the end result must be a genuine assessment of risk that also supports controllers in taking measures to address and treat those risks. A DPIA should describe the processing activity, assess its necessity and proportionality, and help to manage any risks to the rights and freedoms of individuals.
There are a variety of tools out there designed to assist with this work. OneTrust, for example, has DPIA templates that can be used to support compliance with the GDPR and other laws. Using tools like OneTrust can help to streamline workflows, enable greater collaboration between the privacy office and business teams, and operationalize Privacy by Design.
The Article 29 Working Party
In April 2017, the Article 29 Working Party (WP29) released a draft of its guidelines on DPIAs and determining whether processing is “likely to result in a high risk” for the purposes of the GDPR. After examining comments received during the public consultation period for the draft, the WP29 has adopted a revised version of the guidelines. The stated purpose of the guidelines is to anticipate future guidelines, recommendations and best practices expected to be issued by the European Data Protection Board (EDPB) according to Article 70(1)(e), “and therefore to clarify the relevant provisions of the GDPR in order to help controllers comply with the law and to provide legal certainty for controllers who are required to carry out a DPIA.”2
While the WP29 did not make any major revisions to its guidelines, there were some tweaks worth noting, such as:
- Reinforcing the importance of taking a risk-based approach;
- Removing cross-border transfer from the criteria to consider when evaluating for high-risk;
- Adding additional practical examples of activities that might constitute high-risk;
- Announcing that DPIAs may also be required in some circumstances for processing activities existing prior to May 25, 2018;3
- Removing the minimum three year re-assessment requirement;4 and
- Further defining the role of Chief Information Security Officers (CISO) and Data Protection Officers (DPO) in the DPIA process.5
What is “high risk”?
As mentioned above, a DPIA is mandatory in cases where a processing activity is “likely to result in a high risk” to individuals. Of course, this begs the question, what is considered high risk? The GDPR provides some guidance here by providing examples of when a DPIA might be required, but in many ways it tends to raise more questions than answers.6 For example, in practice, what would be considered “systematic and extensive evaluation of personal aspects,” “processing on a large scale of special categories,” or “systematic monitoring of a publicly accessible area on a large scale.”
In an effort to provide some clarity around questions like these, the WP29 includes a non-exhaustive list of nine criteria in its DPIA guidelines for evaluating whether a processing activity is likely to result in high-risk, as well as specific real-world examples of each criterion.78 The nine criteria laid out by the WP29 are as follows:
- Evaluation or scoring;
- Automated-decision making with legal or similar significant effect;
- Systematic monitoring;
- Sensitive data or data of a highly personal nature;
- Data processed on a large scale;
- Matching or combining datasets;
- Data concerning vulnerable data subjects;
- Innovative use or applying new technological or organisational solutions; and
- Preventing data subjects from exercising a right or using a service or a contract.
The revised guidelines also include new examples of each criterion. For example, evaluation or scoring “could include a financial institution that screens its customers against a credit reference database or against an anti-money laundering and counter-terrorist financing (AML/CTF) or fraud database . . . .” The guidelines also state that “[i]n most cases, a data controller can consider that a processing meeting two criteria would require a DPIA to be carried out” and that “[i]n general, the WP29 considers that the more criteria are met by the processing, the more likely it is to present a high risk to the rights and freedoms of data subjects, and therefore to require a DPIA, regardless of the measures which the controller envisages to adopt.”