The General Data Protection Regulation (EU 2016/679) ("GDPR") aims to ensure that organisations which process personal data embed data privacy into their business model. To this end, it introduces a requirement that a data protection impact assessment ("DPIA") be completed by organisations before they embark on any new business initiative which involves the high-risk processing of personal data. While certain organisations engaged in high-risk processing may already carry out such impact assessments as a matter of good practice, the GDPR now imposes this as a statutory obligation.
What is a DPIA?
The DPIA is a tool which requires organisations involved in certain types of high risk processing to:
- analyse each of the steps involved in the proposed processing activity and identify the purpose of such proposed processing;
- assess the necessity and proportionality of that processing; and
- identify and manage the potential risks to the privacy of data subjects which arise from that activity.
Its purpose is to ensure that all relevant privacy and data protection issues are identified by an organisation before work on a project or initiative actually commences. A single DPIA may address a set of similar processing operations that present similar high risks.
In what circumstances is a DPIA necessary?
In general, a DPIA is required under the GDPR when the processing of personal data is "likely to result in a high risk to the rights and freedoms of natural persons ". It is particularly relevant where the proposed processing involves a new technology.
The GDPR has identified three types of processing operations for which a DPIA is required which include:
- a systematic and extensive evaluation of personal aspects relating to data subjects which is based on automated processing, including profiling and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences; or
- systematic monitoring of a publicly accessible area on a large scale.
However, it should be noted that the above is a non-exhaustive list and that a DPIA will also be required in other cases where the processing of personal data involves a "high risk to the rights and freedoms" of the data subject. The Article 29 Data Protection Working Party has prepared guidelines (the "Guidelines")1 which provide criteria that should be considered in determining whether a processing activity is such that warrants a DPIA being completed.
The GDPR also provides that individual Member States must identify "high risk" processing operations in respect of which a DPIA must be completed. Member States may also set down that certain kinds of processing of personal data will not require a DPIA to be carried out .
Failure to carry out a DPIA where it is required under the GDPR, carrying out a DPIA in an incorrect way or failing to consult the competent supervisory authority may result in an administrative fine being imposed.
In what circumstances is a DPIA advisable?
Organisations may choose to implement a DPIA on a voluntary basis before commencing a new project which will involve the processing of personal data in order to (i) ensure that the organisation complies with its obligations under the GDPR and (ii) if necessary, demonstrate to the Data Protection Commission at a future date that it identified all relevant risks associated with the processing of the personal data and took appropriate steps to resolve or mitigate those risks before the processing activity began.
In cases where it is not clear whether or not a DPIA is required, the Guidelines recommend that a DPIA is carried out. If an organisation determines that a DPIA is not required on the basis that the processing is not " likely to result in a high risk", it should document the reasons for this determination.
What role will the Data Protection Commission play?
If, after a DPIA has been completed, certain risks to the privacy of individual data cannot be fully mitigated by reasonable means, an organisation will be required to consult with the Data Protection Commission before work on the relevant project or initiative begins.
The obligation to prepare a DPIA will apply to any new processing operations which meet the criteria outlined above and which are initiated after the GDPR becomes effective on 25 May next. If there is a change of the risk posed by an existing processing operation after 25 May, it should be assessed to ensure that it is carried out in line with the DPIA.
The Guidelines also strongly recommend that organisations carry out a DPIA for processing activities which are already under way before next May where such processing involves a "high risk" to the rights and freedoms of data subjects. Organisations will therefore need to consider whether any existing and new processing activities undertaken by them are such that a DPIA should be implemented in order to ensure compliance with the GDPR.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.