ARTICLE
15 December 2017

Assessing GDPR Guidelines Part II: Data Impact Assessments

SM
Sheppard, Mullin, Richter & Hampton LLP

Contributor

Sheppard, Mullin, Richter & Hampton LLP logo
Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.
Explore Firm Details
Following up on yesterday's blog about profiling and automated decision making, we now look at guidance on data protection impact assessment (DPIA).
United States Privacy
Townsend L. Bourne and Liisa Thomas
Your Author LinkedIn Connections
Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • within Insolvency/Bankruptcy/Re-Structuring topic(s)

Following up on yesterday's blog about profiling and automated decision making, we now look at guidance on data protection impact assessment (DPIA). The same guidance we discussed also directs companies to conduct a DPIA where profiling or automated decision making results in the "systematic and extensive evaluation" of an individual and decisions are made based on that evaluation that could have legal effects.

Additional guidelines released by the Working Party last month (here) provide more detail on DPIAs and when a DPIA is required. DPIAs are tools to manage risk and can be used by companies to demonstrate compliance with GDPR requirements. They are only required where the processing of personal data under the GDPR is "likely to result in a high risk to the rights and freedoms of natural persons." The guidelines provide the following examples of processing that is likely to require a DPIA:

  • A hospital information system processing patients' health data
  • A company that systematically monitors employees' activities, including internet activity
  • The gathering of public social media data for generating profiles

The guidelines remind companies to conduct a DPIA before the processing begins. And, that the DPIA is to include (1) a description of the processing and purpose of the processing, (2) an assessment of the necessity of the processing, (3) an assessment of the risks to the rights and freedoms of data subjects, and (4) measures envisioned to address risks and demonstrate compliance with the GDPR. Data processing can commence where the DPIA supports a lawful basis for processing under the GDPR.

Putting it Into Practice: Companies trying to assess whether they need a DPIA under GDPR should keep in mind the timing of the assessment. A close look at the type of processing being conducted is an important step.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Townsend L. Bourne
Townsend L. Bourne
Photo of Liisa Thomas
Liisa Thomas
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More