On 4 October 2017 the Article 29 Working Party (“WP29”) published its final Guidelines on Data Protection Impact Assessment (“DPIA”) which were initially released in draft form in April 2017. Article 35 of the General Data Protection Regulation (“GDPR”) requires the use of DPIAs, or risk assessments of the proposed processing of personal data by an organisation, as part of regular business processes. The key revisions to note are in relation to the following concepts:
The guidance provides a set of evaluation criteria to consider when deciding whether or not a data controller should carry out a DPIA. The guidance suggests that in most cases, where processing consists of two or more of the criteria, a DPIA should be carried out. The final guidance reduces the criteria for deciding when to carry out a DPIA from ten factors to nine, by removing international transfers as a consideration in determining whether a DPIA is required.
The nine criteria to consider are:
- Evaluation and scoring: profiling and predicting behaviors e.g., screening customers against a credit reference database.
- Automated decision making with a legal or similar significant effect: e.g., profiling which may lead to the exclusion of or discrimination against individuals.
- Systematic monitoring: for example an employee monitoring program. The risk is increased where: (i) the individual may not be aware who is collecting their data or how it will be used; or (ii) where it is difficult for the individual to avoid being subject to such processing if the monitoring is in a public space.
- Processing of sensitive data: the processing of sensitive personal data and/or data which more generally increases risks for individuals, such as location data and financial data.
- Large scale processing: the number of individuals concerned, the volume and/or range of data, the duration of the processing and its geographical extent are all potential components of this risk factor.
- Matching or combining datasets: in particular, where the datasets originate from different processing operations and the individual could not reasonably expect them to be combined.
- Processing data of vulnerable subjects: in cases where there is an imbalance in the relationship between the controller and the individual including, e.g., children, employees, the mentally ill, patients or the elderly.
- Innovative use of technological or organisational solutions: the use of new technologies with novel forms of data collection and use, e.g., processing operations which combine the use of finger print and face recognition for improved physical access control.
- The processing prevents an individual from exercising a right or using a service: including processing aimed at “allowing, modifying or refusing [individuals’] access to a service or entry into a contract,” e.g., where a bank screens customers against a credit reference database to decide whether to offer a loan.
DPIA Review Periods
The suggestion that a DPIA should be reviewed every 3 years (or sooner, as the context requires) has been removed. Instead, the guidance now states that they should be “continuously reviewed and regularly re-assessed” as a matter of good practice. This imposes a more fluid obligation on data controllers and emphasises the principle that even if a DPIA is not required as at 25 May 2018, it will be necessary for controllers to conduct DPIAs as part of its general accountability obligations going forward.
Methods of Demonstrating Adequacy
The draft guidance stated that compliance with a code of conduct (pursuant to Article 40 GDPR) can be useful in demonstrating that adequate measures have been put in place relative to the impact of a data processing operation when conducting a DPIA. The final guidance adds certifications, seals and marks (Article 42 GDPR) and importantly, Binding Corporate Rules (BCR) as other potential methods for organisations to demonstrate adequacy in their DPIA analysis.
Although the wording stating that the WP29 strongly recommend that DPIAs are carried out for processing operations already underway prior to May 2018 has been removed, the final guidance still states that the requirement to carry out a DPIA applies to existing processing operations. As such, companies should consider now which of its processing activities require a DPIA to ensure these have been completed prior to May 2018.