María Bardají Cruz

Tel.: +34 (91) 535 99 77

The New European General Data Protection Regulation IV: The Privacy Impact Assessment

Authors: María Bardají & Sascha Villoro 

This is our fourth installment in this series and today were a getting technical, with the Data protection Impact Assessment, or DPIA.

Article 35 of the GDPR states that: “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

But doesn’t all processing impact the privacy of the date subject in one way or the other? Isn’t all processing nowadays carried out using “new” technologies? After reading the article you surely got the impression that a DPIA must always a be performed, just in case, but the GDPR is going to narrow down the cases in which a DPIA is actually compulsory (Note: companies may voluntarily subject themselves to a DPIA, to ensure the greatest degree of privacy to their clients and employees).

First of all, paragraph 3 of the same article states that a DPIA shall in particular be required in the case of: 

(a) systematic and extensive evaluation of personal aspects based on automated processing, including profiling, and on which legal decisions are based or similarly significantly affect the natural person; 

(b) processing on a large scale of special categories of data (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation, etc.), or of personal data relating to criminal convictions and offences;  

(c) systematic monitoring of a publicly accessible area on a large scale (e.g. video surveillance).

Unfortunately, these definitions are quite ambiguous and it´s clear companies will need some help in determining if they are meeting any of these conditions or not. The Article 29 Working Party has issued some guidelines to try to clarify these concepts; however they are still not definitive. Also, Guidelines on Data Protection Officer issued on December 2016 offer some clarifications on how to interpret the situations on which a Privacy Impact Assessment is compulsory. 

Furthermore the supervisory authority will make public a list of the kind of processing operations which require a DPIA. An opposite list, which establishes certain processing activities which do not require a DPIA, is also expected.

What will a DPIA entail? 

- a systematic description of the envisaged processing operations and the purposes of the processing;

- an assessment of the necessity and proportionality of the processing operations in relation to the purposes thereof; 

- an assessment of the risks to the rights and freedoms of data subjects;

- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.

Whenever possible (that is: without putting the security of the system or the companies commercial interest at risk), the company should seek the views of the data subjects on the intended processing.

If the risks or the purposes regarding the data processing change, a review of the DPIA will be in order.

If the DPIA determines that the processing would result in a high risk in the absence of measures, the company must consult the supervisory authority prior to the processing. If the supervisory authority concludes that the intended processing would infringe the GDPR, in particular where the controller has insufficiently identified or mitigated the risk, the supervisory authority will provide advice to the company.

The preceding articles of this ongoing series on the new European GDPR are available under the following links:

The New European General Data Protection Regulation: Consent To Data Processing

The New European General Data Protection Regulation II: Information Rights

Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR)