GDPR Essentials: Data Protection Impact Assessments, When and How Should They Be Conducted?

As we enter the home stretch towards the enforcement of the EU’s General Data Protection Regulation (GDPR), with only three weeks to go until 25 May 2018, we take a closer look at one of the key requirements of the new legislation: Data Protection Impact Assessments (DPIAs).

Meant to help companies identify, assess and minimize the data protection risks of projects, DPIAs are not necessarily a new idea. A similar concept, Privacy Impact Assessments (PIAs), have been widely considered to be valuable tools for companies looking to reduce risks resulting from their data processing activities. However, because of the lack of an industry-wide agreement on how these should be conducted, companies have often found themselves at a loss when it came to carrying them out.

Through DPIAs, the GDPR has now made assessments mandatory by law in the case of processing activities which may result in a high risk to EU data subjects’ personal data.  The new requirement has sparked endless debates in policy and legal circles about what DPIAs should look like and how they should be conducted.

When are DPIAs necessary?

Detailed under article 35 of the GDPR, DPIAs support the greater framework of the GDPR through the key role they play in achieving data protection by design and by default. They help companies stay accountable and enable them to clearly demonstrate the steps they have taken to ensure compliance. Because of all this, they are especially relevant when it comes to new projects, applications, business processes and systems being introduced.

As defined by the GDPR, DPIAs are needed when data processing is “likely to result in a high risk to the rights and freedoms of natural persons”.  What exactly constitutes these high risks remains to be decided at national level by the supervisory authority of each EU member state. Each country’s data protection authority must publish a list of processing operations that require DPIAs as well as a list of those that do not need one.

The GDPR does however specify three cases in particular when DPIAs will be mandatory:

• A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person. Refers primarily to profiling and automated decision making (ADM), applicable especially to organizations such as banks, insurers and so on, but also social media companies like Facebook, LinkedIn etc.
• Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences. The special categories of data, as listed under article 9 (1) of the GDPR, refer to information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation or sex life, health, genetic data and biometric data used for the purpose of uniquely identifying a natural person.
• A systematic monitoring of a publicly accessible area on a large scale. Applies to public networks, WiFi hotspots, CCTV monitored areas etc.

How to Best Conduct a DPIA

The GDPR clearly states that DPIAs should be carried out before data processing takes place. This means companies need to assess their need for a DPIA before launching new projects. It’s first of all good to bear in mind that data controllers are the ones held accountable for the performance of DPIAs. This means that, while companies can hire outside assistance to conduct DPIAs, should any problems arise, the ultimate responsibility will lie with the data controller.

The Article 29 Working Party (WP29) issued a set of guidelines on DPIAs in April 2017 in which they also suggested a series of steps companies can follow when carrying out DPIAs. These are:

1. Description of envisaged processing: a systematic description of the nature, scope, context and purposes of the processing operations, including, where applicable, the legitimate interest pursued by the controller.
2. Assessment of the necessity and proportionality: an explanation of why the data in question needs to be used and whether its use is reasonable in regards to the needs and rights of the individuals whose data will be used.
3. Measures envisaged to demonstrate compliance: organizations must be able to prove a proactive approach to data protection through their data protection policies, the use of specialized software, reports etc.
4. Assessment of the risks to the rights and freedoms of data subjects: “the rights and freedoms” of data subjects primarily refer to the right to privacy but may also include other fundamental rights such as freedom of speech, freedom of thought, freedom of movement, prohibition of discrimination, right to liberty, conscience and religion.
5. Measures envisaged to address the risks: organizations need to provide clear safeguards for every risk discovered that can then be implemented company-wide in order to reduce the chance of high risks happening.
6. Documentation: DPIAs must have record-keeping procedures in place to ensure that organizations can prove they were conducted adequately.
7. Monitoring and Review: DPIAs should be continually conducted or, if no changes occur in the nature of the processing or the data, at least once every three years.
8. Back to Step 1: the process suggested by the WP29 is iterative, meaning that it must be repeated multiple times to ensure that all risks have been successfully secured against.

If high risks still remain even after a DPIA is conducted, companies need to contact their national data protection authority to request advice. Any recommendations put forth by the supervisory authorities must then be integrated into the DPIA.

While penalties for failure to conduct DPIAs when necessary or doing so in an inadequate manner fall under the lower end of the GDPR fine scale, companies still stand to lose up to €10 million, or 2% of their global annual turnover, whichever is higher, for noncompliance.