Oct 202017

Article 29 Working Party Publishes Final Guidance on Data Protection Impact Assessments

William RM Long, Francesca Blythe and Eleanor Dodding
, , , ,

On 4 October 2017 the Article 29 Working Party (“WP29”) published its final Guidelines on Data Protection Impact Assessment (“DPIA”) which were initially released in draft form in April 2017. Article 35 of the General Data Protection Regulation (“GDPR”) requires the use of DPIAs, or risk assessments of the proposed processing of personal data by an organisation, as part of regular business processes. The key revisions to note are in relation to the following concepts:

Evaluation Criteria

The guidance provides a set of evaluation criteria to consider when deciding whether or not a data controller should carry out a DPIA. The guidance suggests that in most cases, where processing consists of two or more of the criteria, a DPIA should be carried out. The final guidance reduces the criteria for deciding when to carry out a DPIA from ten factors to nine, by removing international transfers as a consideration in determining whether a DPIA is required.

The nine criteria to consider are:

  • Evaluation and scoring: profiling and predicting behaviors e.g., screening customers against a credit reference database.
  • Automated decision making with a legal or similar significant effect: e.g., profiling which may lead to the exclusion of or discrimination against individuals.
  • Systematic monitoring: for example an employee monitoring program. The risk is increased where: (i) the individual may not be aware who is collecting their data or how it will be used; or (ii) where it is difficult for the individual to avoid being subject to such processing if the monitoring is in a public space.
  • Processing of sensitive data: the processing of sensitive personal data and/or data which more generally increases risks for individuals, such as location data and financial data.
  • Large scale processing: the number of individuals concerned, the volume and/or range of data, the duration of the processing and its geographical extent are all potential components of this risk factor.
  • Matching or combining datasets: in particular, where the datasets originate from different processing operations and the individual could not reasonably expect them to be combined.
  • Processing data of vulnerable subjects: in cases where there is an imbalance in the relationship between the controller and the individual including, e.g., children, employees, the mentally ill, patients or the elderly.
  • Innovative use of technological or organisational solutions: the use of new technologies with novel forms of data collection and use, e.g., processing operations which combine the use of finger print and face recognition for improved physical access control.
  • The processing prevents an individual from exercising a right or using a service: including processing aimed at “allowing, modifying or refusing [individuals’] access to a service or entry into a contract,” e.g., where a bank screens customers against a credit reference database to decide whether to offer a loan.

DPIA Review Periods

The suggestion that a DPIA should be reviewed every 3 years (or sooner, as the context requires) has been removed. Instead, the guidance now states that they should be “continuously reviewed and regularly re-assessed” as a matter of good practice. This imposes a more fluid obligation on data controllers and emphasises the principle that even if a DPIA is not required as at 25 May 2018, it will be necessary for controllers to conduct DPIAs as part of its general accountability obligations going forward.

Methods of Demonstrating Adequacy

The draft guidance stated that compliance with a code of conduct (pursuant to Article 40 GDPR) can be useful in demonstrating that adequate measures have been put in place relative to the impact of a data processing operation when conducting a DPIA. The final guidance adds certifications, seals and marks (Article 42 GDPR) and importantly, Binding Corporate Rules (BCR) as other potential methods for organisations to demonstrate adequacy in their DPIA analysis.

Although the wording stating that the WP29 strongly recommend that DPIAs are carried out for processing operations already underway prior to May 2018 has been removed, the final guidance still states that the requirement to carry out a DPIA applies to existing processing operations. As such, companies should consider now which of its processing activities require a DPIA to ensure these have been completed prior to May 2018.

William RM Long

London

wlong@sidley.com

Francesca Blythe

London

fblythe@sidley.com

Eleanor Dodding

London

edodding@sidley.com

You might also like
U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

Substantial changes to Hong Kong’s privacy laws coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.