On 4th October 2017, the Article 29 Working Party (WP29) revised and adopted final guidance on Data Protection Impact Assessments for high risk processing under GDPR. The guidance is very similar to the draft released earlier.
DPIAs are required for high risk processing: WP29 takes a wide view of high risk
GDPR gives 3 examples of high processing which would trigger a need for a DPIA:
WP29 notes that these are just examples: whenever there is a high risk a DPIA is required. WP29 suggests 9 criteria:
The earlier draft included 10 criteria- the 10th being transfers of data outside the EU. This last criterion has now, helpfully, been deleted.
WP29 suggests that any 2 criteria are likely to trigger a need for a DPIA – but also notes that this is not necessarily the case: in some cases a controller may conclude that there still isn’t a high risk; in other cases, a DPIA may be required where only one criteria applies.
Can you give some examples?
WP29 gives worked examples where a DPIA would be needed (and fewer examples where a DPIA wouldn’t be needed). It suggests a DPIA will be needed for the following:
You can't mean I have to do a DPIA each time I carry out monitoring?
No, not necessarily. WP29 cites provisions in GDPR noting that a controller may use a single DPIA to cover multiple processing operations, if they are similar. Aside from employee monitoring, this could help an organisation using CCTV in multiple locations could cover all of these via one DPIA, or controllers using products where the manufacturer has issued guidelines for a DPIA.
So when is a DPIA not required?
When the processing is not likely to present a high risk. WP29 doesn’t give many examples of this – perhaps when a data protection authority has already authorised the processing, or if the processing is included in a list maintained by a data protection authority of processing in respect of which DPIAs are not needed.
What about existing processing?
Here, there is a change in emphasis by WP29 from the draft guidelines. The final guidelines emphasize that undertaking DPIAs is an ongoing (continuous) process. Accordingly, if there is any change in the risk posed by existing processing, a DPIA will be needed.
What should be in the DPIA?
WP29 doesn’t prescribe the form of DPIA. But it does set out, at a high level, the criteria to be addressed.
If at the end of the process, there are unmitigated risks, then the organisation must approach the competent supervisory authority for guidance.
Severity and likelihood of risk: this sounds like classic risk assessment
Yes, it is very similar. However, WP29 emphasizes that information security professionals will assess risk to the organisation. Here the perspective is different: data protection authorities are concerned with risk to the individual.
Want to know more?
WP29 includes an Annex listing sources of existing guidance on DPIAs.