The new European Union’s General Data Protection Regulation (“GDPR”) was published on 4 May 2016. It will be enforced after a two-year transition, beginning on 25 May 2018, replacing the national laws and regulations and reaching all companies that target EU consumers from outside the EU.
GDPR introduces the concept of a Data Protection Impact Assessment (“DPIA”).
The Article 29 Data Protection Working Party (“DPWP”) has adopted, on 4 April 2017, guidelines to further understand the concept of DPIA (DPWP is the European advisory body on data protection and privacy and is composed of a representative of the supervisory authority (ies) designated by each EU country, a representative of the authority(ies) established for the EU institutions and bodies and a representative of the European Commission).
GDPR does not give a formal definition of DPIA but only its minimal content (Article 35(7) GDPR).
DPWP gives the following definition of DPIA: a process designed to describe the processing, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data (by assessing them and determining the measures to address them).
DPWP explains that DPIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation. In other words, a DPIA is a process for building and demonstrating compliance.
DPWP further reminds that under the GDPR, non-compliance with DPIA requirements can lead to fines imposed by the competent supervisory authority. Failure to carry out a DPIA when the processing is subject to a DPIA, carrying out a DPIA in an incorrect way, or failing to consult the competent supervisory authority where required, can each result in an administrative fine of up to 10M€, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Since GDPR only enters into force in May 2018, the requirement to carry out a DPIA applies to processing operations after this date.
However, DPWP strongly recommends to carry out DPIAs for processing operations already underway prior to May 2018.
This being said, the DPWP also indicates that carrying out a DPIA is not mandatory for every processing operation. A DPIA is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons”.
The DPIA Guidelines provide useful information on when the processing is likely to present a high risk and, therefore a DPIA is required. Although this should only be considered as a “rule of thumb”, according to the DPWP, a DPIA should be carried out when a processing operation meets at least 2 criteria of those that are considered as relevant when assessing if a DPIA should be carried out or not.
The DPIA Guidelines provide the following list that give some concrete example of situations in which a DPIA may be required:
It should be noted however that this list cannot be considered as a strict rule for DPIA as several exceptions foreseen by GDPR may apply.
The DPIA Guidelines also provide insight on when the supervisory authority shall be consulted after a DPIA has been carried out. This may be the case when the identified risks cannot be sufficiently addressed by the data controller.