On 4 October 2017, the Article 29 Working Party (“WP29”) released its final guidelines on Data Protection Impact Assessments (“DPIA”), which were initially proposed in draft form in April 2017. Article 35 of the General Data Protection Regulation (“GDPR”) provides that the controller shall carry out an assessment of the impact of the envisaged processing operations, if the type of processing is likely to result in a high risk to the rights and freedoms of natural persons. A failure to comply could lead to a fine of up to €10 million, or up to 2% of the total worldwide annual turnover, whichever is higher.
The WP29’s final version provides additional guidelines, particularly the criteria to be applied in determining whether or not a DPIA is mandatory, and how to carry out a DPIA. We explore some of the key guidelines below.
Changes to Criteria
Under the GDPR, conducting DPIAs is required if the data processing is “likely to result in high risks”. Although the GDPR provides examples of data processing operations that would fall into this category, both versions of the guidelines mention that this is a “non-exhaustive list”.
The WP29’s final guidance reduces the criteria for determining whether a DPIA is mandatory to nine considerations – removing international transfers as a factor. Controllers may consider this as an advantage, given many data processing activities involve international transfers.
The relevant criteria include:
- Evaluation or scoring (including profiling and predicting)
- Automated decision-making with legal or similar significant effect
- Systematic monitoring
- Sensitive data or data of a highly personal nature
- Data processed on a large scale
- Matching or combining data sets
- Data concerning vulnerable data subjects
- Innovative use or applying new technological or organizational solutions
- When the processing prevents data subjects from exercising a right or using a service or a contract
Looking closely at the ‘sensitive data or data of a highly personal nature’ consideration, you will notice that sensitive data has been interpreted more broadly than what is defined under special categories of personal data (i.e., personal data is considered sensitive as the “term is commonly understood”). The WP29 also added the language of “data of a highly personal nature” alongside sensitive data. The guidelines, therefore, cast the net widely, requiring controllers to consider many categories of personal data when conducting DPIAs.
The suggestion that a DPIA should be reviewed every three years has been removed. Instead, the guidance states that they should be “continuously reviewed and regularly re-assessed” as a matter of good practice. Conducting DPIAs should not be seen only as a method of demonstrating compliance, but as something which also forms part of a business’ framework.
The need of a risk-based approach to data protection is emphasised. The obligation for controllers to conduct a DPIA must measure the rights and freedoms of individuals “against the background of their general obligation to appropriately manage risks”. This encourages businesses to use DPIAs as a risk-management technique.
Methods of Demonstrating Compliance
The draft guidance stated that compliance with a code of conduct can be useful in demonstrating that adequate measures have been put in place relative to the impact of a data processing operation when conducting a DPIA. The final guidance adds certifications, seals, and marks, and importantly, Binding Corporate Rules as other potential methods for organisations to demonstrate adequacy in their DPIA analysis.
These new guidelines provide a useful steer for businesses of when they need to, and how they should carry out, DPIAs. Importantly, the final guidance states that the requirement to carry out a DPIA applies to existing processing operations. As such, businesses should now consider which of their processing activities requires a DPIA to ensure these have been completed prior to May 2018. If the processing operation is not considered likely to result in a high risk to individuals, despite criteria being identified, controllers should still document the decisions for deciding not to carry out the DPIA. However, the main message to take away is, if in doubt over whether a DPIA is required, always err on the side of caution and carry out a full DPIA.