WP29's DPIA Guidelines: Main highlights
Criteria to be considered
The DPIA Guidelines contain a number of criteria that, according to WP29, ought to be considered when assessing whether a concrete set of processing operations is "likely to result in a high risk" processing thereby necessitating a DPIA. The Guidelines state that the more criteria are met by the processing, the more likely it is to present a high risk that the rights and freedoms of data subjects, and thus to require a DPIA. Briefly, the criteria listed in the Guidelines are the following:
- Evaluation or scoring, including profiling and predicting, especially from "aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements" (recitals 71 and 91);
- Automated decision-making with legal or similar significant effects, such as where the processing may lead to the exclusion or discrimination against individuals;
- Systematic monitoring of data subjects;
- Sensitive data: examples mentioned are a general hospital keeping patient's medical records or a private investigator keeping offenders' details, as well as data which may more generally be considered as increasing the possible risk to the rights and freedoms of individuals, such as electronic communication data, location data, financial data (that might be used for payment fraud);
- Data processed on a large scale: Though not defined in the GDPR, WP29 recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:
- The number of data subjects concerned, either as a specific number or as a proportion of the relevant population;
- The volume of data and/or the range of different data items being processed;
- The duration, or permanence, of the data processing activity;
- The geographical extent of the processing activity.
- Datasets that have been matched or combined;
- Data concerning vulnerable data subjects, e.g. employees vis-à-vis their employer, children, mentally ill, asylum seekers, the elderly, a patient.
- Innovative use or applying technological or organisational solutions such as combining use of finger print and face recognition for improved physical access control;
- Data transfer across borders outside the EU, taking into consideration the envisaged country or countries of destination, the possibility of further transfers or the likelihood of transfers based on derogations for specific situations set forth by the GDPR;
- When the processing in itself "prevents data subjects from exercising a right or using a service or a contract" (article 22 and recital 91), including processing performed in a public area that people passing by cannot avoid.
Carrying out a DPIA
Though the data controller is ultimately responsible for carrying out the DPIA, it must seek the advice of the Data Protection Officer (DPO), where designated, and this advice and the decisions taken, should be documented within the DPIA. The DPO should also monitor the performance of the DPIA. If the processing is wholly or partly performed by a data processor, the processor should assist the controller in carrying out the DPIA and provide any necessary information.
Furthermore, as required by article 35(9), "[w]here appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing". The WP29 provides some practical guidance on how such views could be sought, depending on the content e.g. an internal or external study related to the purpose and means of the processing operation, a formal question to the staff representatives or trade/labour unions or a survey sent to the data controller's future customers. The Working Group also clarifies that if the data controller's final decision differs from the views of the data subjects, its reasons for going ahead or not should be documented. The controller should also document its justification for not seeking the views of data subjects, if it decides that this is not appropriate.
The WP29 underscore that it is good practice to define and document other specific roles and responsibilities, depending on internal policy, processes and rules, for soliciting input and assistance from actors such as independent experts (e.g. lawyers, security experts), the DPO, data processors, the Chief Information Security Officer, if appointed, and/or the IT department.
Throughout the DPIA Guidelines, one notes the increased importance of the controller's obligation to maintain documentation including of decisions taken and the steps involved in taking such decisions, as well as of the actors or bodies consulted or whose input was sought (or not sought).
The Guidelines note that there is an overlap between the components of the DPIA pursuant to recital 90 of the GDPR with risk management components (e.g. ISO 31000), e.g. establishing the context of the risks, assessing the risks and treating the risks. However, as the Guidelines underscore, the DPIA under the GDPR is a tool for managing risks to the rights of the data subjects, and thus takes their perspective whereas risk management in some other fields (e.g. information security) is focused on the organization.
Though publication of the DPIA is not a legal requirement of the GDPR, WP29 recommend that it is published either in full or in part (e.g. a summary of main findings). Where the DPIA reveals high residual risks, the data controller is required to seek prior consultation for the processing from the supervisory authority and the DPIA must be provided to the supervisory authority.
The DPIA Guidelines are open for public consultation until 23 May 2017 before their final adoption by WP29.
Wikborg Rein provides legal assistance to organizations that are preparing to be GDPR compliant, and will be happy to discuss with you how we may assist your organization in this respect.