Data Protection Impact Assessments: Final Guidance Issued

30 October 2017

Ruth Boardman, Ariane Mole

On 4th October 2017, the Article 29 Working Party (WP29) revised and adopted final guidance on Data Protection Impact Assessments for high risk processing under GDPR. The guidance is very similar to the draft released earlier.

DPIAs are required for high risk processing: WP29 takes a wide view of high risk

GDPR gives 3 examples of high processing which would trigger a need for a DPIA:

  1. systematic & extensive evaluation of personal aspects relating to natural persons, based on automated processing (including profiling), and on which decisions are based that produce legal effects concerning the individual or which similarly significantly affect the individual
  2. large scale processing of special categories or criminal offence data; and
  3. systematic monitoring of a publicly accessible area on a large scale.

WP29 notes that these are just examples: whenever there is a high risk a DPIA is required. WP29 suggests 9 criteria:

  1. Evaluation or scoring – e.g. consulting an AML or fraud prevention database
  2. Automated decision taking leading to legal or similarly significant effects
  3. Systematic monitoring in publicly accessible areas
  4. Processing of sensitive or highly personal data (communications data, location data, financial data)
  5. Large scale processing - numbers, duration and geographical extent are all stated to be relevant, although no figures are stated
  6. Matching databases
  7. Vulnerable data subjects –where there is an imbalance of power – children, employees, patients, the elderly
  8. Innovative uses of technology – the example given is that IoT applications may require a DPIA
  9. Processing which could exclude individuals from using a service or contract, or from exercising a right.

The earlier draft included 10 criteria- the 10th being transfers of data outside the EU. This last criterion has now, helpfully, been deleted.

WP29 suggests that any 2 criteria are likely to trigger a need for a DPIA – but also notes that this is not necessarily the case: in some cases a controller may conclude that there still isn’t a high risk; in other cases, a DPIA may be required where only one criteria applies.

Can you give some examples?

WP29 gives worked examples where a DPIA would be needed (and fewer examples where a DPIA wouldn’t be needed). It suggests a DPIA will be needed for the following:

  • Hospital processing health data
  • Use of ANPI
  • Systematic monitoring of employees activity at work (including online activities)
  • Collection of public social media profiles
  • National fraud or credit databases

You can't mean I have to do a DPIA each time I carry out monitoring?

No, not necessarily. WP29 cites provisions in GDPR noting that a controller may use a single DPIA to cover multiple processing operations, if they are similar. Aside from employee monitoring, this could help an organisation using CCTV in multiple locations could cover all of these via one DPIA, or controllers using products where the manufacturer has issued guidelines for a DPIA.

So when is a DPIA not required?

When the processing is not likely to present a high risk. WP29 doesn’t give many examples of this – perhaps when a data protection authority has already authorised the processing, or if the processing is included in a list maintained by a data protection authority of processing in respect of which DPIAs are not needed.

What about existing processing?

Here, there is a change in emphasis by WP29 from the draft guidelines. The final guidelines emphasize that undertaking DPIAs is an ongoing (continuous) process. Accordingly, if there is any change in the risk posed by existing processing, a DPIA will be needed.

What should be in the DPIA?

WP29 doesn’t prescribe the form of DPIA. But it does set out, at a high level, the criteria to be addressed.

DPIA Oct 2017

If at the end of the process, there are unmitigated risks, then the organisation must approach the competent supervisory authority for guidance.

Severity and likelihood of risk: this sounds like classic risk assessment

Yes, it is very similar. However, WP29 emphasizes that information security professionals will assess risk to the organisation. Here the perspective is different: data protection authorities are concerned with risk to the individual.

Want to know more?

WP29 includes an Annex listing sources of existing guidance on DPIAs.