European Union: GDPR Update November 2018: Data Protection Impact Assessments (DPIAs)

Last Updated: 14 November 2018
Article by Marc Elshof and Celine Van Es
Most Popular Article in Netherlands, November 2018

Introduction

In this month's GDPR Update we address an organization's obligation to perform Data Protection Impact Assessments (DPIAs). A DPIA is a process designed to describe the processing, assess its necessity and proportionality, and help manage the risks to the rights and freedoms of individuals resulting from the processing of personal data by assessing them and determining measures to address them.

The obligation to perform DPIAs did not explicitly exist under the repealed Data Protection Directive. Together with the introduction of the accountability principle, this new obligation can be seen as a replacement for the system of notifications of processing activities to national supervisory authorities, which proved to be ineffective in ensuring better data protection and was cost inefficient.

Obligation to perform a DPIA

Carrying out a DPIA is not mandatory for every processing activity. An organization, as a controller, is obliged to perform a DPIA if the processing is "likely to result in a high risk to the rights and freedoms of natural persons." The GDPR non-exhaustively lists the following processing activities as likely to result in a high risk:

  1. A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
  2. Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences; and
  3. A systematic monitoring of a publicly accessible area on a large scale (e.g. through CCTV).

The guidelines of the Article 29 Working Party (the WP29, as replaced by the European Data Protection Board, the EDPB) on DPIAs set out that in most cases a processing activity is likely to result in a high risk if it meets two or more of the following criteria:

  1. Evaluating or scoring, including profiling and predicting, especially from "aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements" (e.g. determining a credit score, evaluating someone's health, performance at work, or personal preferences or interests).
  2. Automated decision making with legal or similar significant effect, such as decisions made by an automated system based on a profile in order to allow or deny a customer's access to a financial product.
  3. Systematic monitoring (i.e. processing used to observe, monitor or control data subjects, including data collected through networks or "a systematic monitoring of a publicly accessible area"), such as CCTV or workplace monitoring systems.
  4. Sensitive data or data of a highly personal nature such as health or racial/ethnic data, information about individuals' political opinions and criminal convictions.
  5. Data processed on a large scale (taking into consideration the number of data subjects concerned, the volume of data, the duration or permanence of the processing activity and the geographical scope of the processing activity), such as tracking individuals through a city's public transport system via geolocation.
  6. Matching or combining datasets such as combining, comparing or matching personal data from multiple sources.
  7. Data concerning vulnerable data subjects (e.g. children, employees, elderly and patients).
  8. Innovative use or application of new technological or organizational solutions such as the use of artificial intelligence to make decisions.
  9. When the processing in itself "prevents data subjects from exercising a right or using a service or contract."

As a general rule, the more of these criteria that are met the more likely it is that a processing activity poses a high risk and therefore requires performance of a DPIA.

DPIA lists

Under the GDPR, supervisory authorities are obliged to create and publish lists of specific processing activities that require a DPIA in any case. For an impression of what type of processing activities are on these lists, please see the schedule below.

The Netherlands Belgium United Kingdom
Large scale/systematic processing for secret investigation (e.g. private detective companies) The use of biometric data for unique identification of data subjects in public spaces or in private spaces that are accessible to the public Processing involving the use of new technologies, or the novel application of existing technologies (including artificial intelligence)
Black lists (e.g. on persons with bad payment habits) Processing of data that is collected from third parties for the purposes of taking decisions about terminating or denying a service agreement with a natural person Decisions about an individual's access to a product, service, opportunity or benefit which is based to any extent on automated decision-making (including profiling) or involves the processing of special category data
Large scale/systematic processing for fraud prevention (e.g. by social security institutions) Processing of special categories of data for other purposes than for which the data was collected, unless the processing is based on the data subject's consent or if the processing is necessary to fulfill a legal obligation to which the controller is subject Any profiling of individuals on a large scale
Large scale/systematic processing for credit scoring Processing by means of an implant and whereby a personal data breach could threaten the physical health of the data subject Any processing of biometric data
Large scale/systematic processing to assess financial situation Large scale processing of personal data of vulnerable natural persons, such as children, for other purposes than for which the data was originally collected Any processing of genetic data, other than that processed by an individual general practitioner or health professional for the provision of health care direct to the data subject
Large scale/systematic processing of genetic data Large scale collection of personal data from third parties for the purposes of analyzing or predicting the economic situation, health, personal preferences or interests, reliability or behavior, location or movements of natural persons Combining, comparing or matching personal data from multiple sources
Large scale processing of health data Systematic exchange between different controllers of special categories of personal data or personal data of a highly personal nature (such as information about poverty, unemployment, involvement of youth care or social work, household or private activities, location) Invisible processing, i.e. processing of personal data that has not been obtained direct from the data subject in circumstances where the controller considers that compliance with Article 14 (providing information to the data subjects) would prove impossible or involve disproportionate effort
Exchange of sensitive data and special category data Large scale processing of data that is generated through the use of devices with sensors that send data via the internet or another medium (Internet of things-devices, such as smart televisions, smart household appliances, connected toys, smart cities, smart energy meters, et cetera) for the purposes of analyzing or predicting the economic situation, health, personal preferences or interests, reliability or behavior, location or movements of natural persons Processing which involves tracking an individual's geolocation or behavior, including but not limited to the online environment
Structural and large scale CCTV surveillance of public spaces Large scale processing and/or systematic processing of telephone, internet or other communication data, metadata or location data traceable to natural persons (e.g. wifi-tracking or processing of travellers data in public transport) when the processing is not strictly necessary for a service requested by the data subject The use of the personal data of children or other vulnerable individuals for marketing purposes, profiling or other automated decision-making, or if you intend to offer online services directly to children
Large scale/systematic flexible camera surveillance (e.g. use of dashboard cameras) Large scale processing of personal data whereby the behavior of natural persons is automatically and systematically observed, collected, recorded or influenced, including for advertising purposes Where the processing is of such a nature that a personal data breach could jeopardise the (physical) health or safety of individuals
Large scale/systematic employee monitoring
Large scale/systematic
processing of location data
Large scale/systematic processing of communication data
Large scale/systematic processing through internet of things devices
Systematic and extensive profiling
Large scale observation and influencing of behaviour

The EDPB has recently (September 2018) issued opinions on these lists in order to avoid significant inconsistencies that may affect the equivalent protection of the data subjects.

From the EDPB's opinions it inter alia follows that:

  • the processing of biometric data;
  • the processing of genetic data;
  • the processing of location data; or
  • the processing with the use of innovative technologies;

on its own, is not necessarily likely to present a high risk. However, the processing of such data in conjunction with at least one other criterion from WP29's list (see under "Obligation to perform a DPIA" above) will require a DPIA to be carried out.

The DPIA lists have to be amended in accordance with these opinions (if not amended yet).

Decision not to perform a DPIA

If an organization based on the above factors (WP29 guidance and supervisory authorities' DPIA lists) comes to the conclusion that it is not obliged to perform a DPIA, it should document how it has formed that opinion, to be able to demonstrate GDPR compliance. A decision not to perform a DPIA should not be a one-off decision. Controllers must continuously asses their processing activities to identify when an activity is likely to result in a high risk to the rights and freedoms of data subjects.

How to perform a DPIA

Under the GDPR, the process to perform a DPIA has not been specified. The GDPR allows for data controllers to introduce a framework which complements their existing working practices provided it takes into account the following minimum requirements:

  • A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller
  • An assessment of the necessity and the proportionality of the processing operations in relation to the purposes.
  • An assessment of the risks to the rights and freedoms of data subjects.
  • The measures envisaged to address the risks and demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned.

The controller must request advice from the Data Protection Officer (the DPO) when performing a DPIA. The DPO shall also monitor performance of the DPIA in accordance with the GDPR. Where appropriate, the controller should consider seeking the views of the data subjects on the intended processing.

A single DPIA may be undertaken in respect of similar data processing operations that present similar risks. This might be the case where similar technology is used to collect the same sort of data for the same purposes (for example the use of CCTV in multiple locations of the same company if the CCTV is used in the same way).

When to perform a DPIA

According to the WP29, a DPIA should be seen as a decision-making tool concerning the processing. A DPIA should therefore be carried out "prior to the processing". It is advisable to start the DPIA as early as possible in the design and proof of concept phases of the processing operation.

Further, the WP29 emphasizes that carrying out a DPIA is a continual process and not a one-time exercise. A DPIA should be continuously reviewed and regularly reassessed. The Dutch supervisory authority for example suggests reassessing a DPIA at least every three years, and the Belgian supervisory authority suggests a reassessment every two years. If in the meantime changes occur in the risk level of the processing activities, a reassessment should be performed at the time of these changes.

The requirement to carry out a DPIA also applies to existing processing operations.

Consulting the supervisory authority

If a DPIA identifies a high risk, and an organization is not able to take measures to reduce the risk, that organization should consult the competent supervisory authority. If the supervisory authority is of the view that the processing activities will violate the GDPR, the supervisory authority will provide a written advice to the controller within eight weeks. The advice may entail that measures should be taken to comply with the GDPR or that the proposed processing operation may not be started. Whether in practice these prior consultations will often be requested remains to be seen, as controllers will likely be reluctant to inform the supervisory authority about a high risk processing for which it cannot find mitigating measures. Further, the response from the supervisory authority is predictable: "such processing violates the GDPR, so don't do it."

Practical recommendations

Organizations should assess whether they are obliged to perform DPIAs (e.g. by conducting a DPIA gateway assessment). If the organization decides that it does not deem it necessary to perform a DPIA, it should document the ratio behind such a decision in order to demonstrate that it is based on the relevant factors. It is important that a controller continuously assesses its processing activities to determine whether a decision not to perform a DPIA should be revised.

If an organization comes to the conclusion that it should perform a DPIA, it should make sure that it meets the minimum requirements. With regard to the performed DPIA's, it is best if the organization designs a process to periodically reassess them (e.g. once every two or three years). In any case a reassessment should take place if changes occur in the underlying processing activity(ies).

Organizations should create awareness within the organization with regard to the processing of personal data and, in particular, the obligation to perform DPIAs. The relevant individuals (e.g. key personnel within the IT team, HR, procurement, product development) should be made aware of the organization's DPIA policy. The DPO, or other individual responsible for GDPR implementation within the organization, should be responsible for creating this awareness.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Events from this Firm
11 Dec 2018, Seminar, London, UK

We are delighted to invite you to our breakfast seminar and Q&A forum on the people aspects of Brexit.

11 Dec 2018, Seminar, An Nijmegen, Netherlands

We are delighted to invite you to our breakfast seminar and Q&A forum on the people aspects of Brexit.

Similar Articles
Relevancy Powered by MondaqAI
Dentons
Dentons
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Dentons
Dentons
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions