Do you need to conduct a GDPR data protection impact assessment? Here you will find guidelines to help you determine whether you need a DPIA and which procedure and methodology you can follow.

What is a data protection impact assessment or DPIA

Quoting the Article 29 Working Party (WP29), a data protection impact assessment is “a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them”. (Guidelines on Data Protection Impact Assessment, wp248rev01).

Data protection impact assessments are also known by their short name “DPIA” or as privacy impact assessment, “PIA” for short. This tool allows you to achieve compliance with the Regulation but also to demonstrate that compliance, showing evidence that the impact of the processing to data subjects has been assessed and appropriate measures were taken.

In other words, a DPIA is a process for building and demonstrating compliance.

When is a data protection impact assessment required

The European data protection legal framework requires you to carry out a data protection impact assessment whenever one of the following three scenarios occur.

Processing of Article 35.3 of the GDPR

Article 35.3 of the GDPR sets forth three types of processing which require conducting a data protection impact assessment. There are:

  1. a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
  2. processing on a large scale of special categories of data (sensitive personal data), or of personal data relating to criminal convictions and offences; or
  3. a systematic monitoring of a publicly accessible area on a large scale.

Processing included in the list of the supervisory

Article 35.4 states that data protection authorities of EU Member States shall establish and make public a list of he kind of processing operations which are subject to the requirement for a data protection impact assessment and these shall be communicated to the European Data Protection Board.

“If the processing activities that you envisage to carry out are included in the list of your supervisory authority, then you need to conduct a data protection impact assessment.”

You can access all lists communicated by EU Member State supervisory authorities to the EDPB here.

Processing is likely to result in a high risk for the rights and freedoms

Article 35.1 of the GDPR establishes that carrying out a data protection impact assessment is mandatory when the processing is likely to result in a high risk to the rights and freedoms of natural persons, in particular when using new technologies, and taking into account the nature, scope, context and purposes of the processing.

To assess whether a processing is “likely to result in a high risk”, the WP29 set forth 9 criteria to consider:

CRITERIADESCRIPION
Evaluation or scoringProfiling and predicting, especially from “aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements.
Automated-decision making with legal effectProcessing that aims at taking decisions on data subjects producing legal effects or which similarly significantly affects them.
Systematic monitoringProcessing used to observe, monitor or control data subjects, including data collected through networks or “a systematic monitoring of a publicly accessible area
Sensitive data or data of a highly personal natureThis includes special categories of personal data, personal data relating to criminal convictions or offences and other
categories of data which are considered as sensitive because they are linked to household and private activities, or because they impact the exercise of a fundamental right or because their violation clearly involves serious impacts in the data subject’s daily life.
Data processed on a large scaleWhen determining whether the processing is carried out on a large scale, the WP29 recommended considering: (i) the number of data subjects concerned; (ii) the volume and/or range of data items; (iii) the duration of the processing; and (iv) its geographical extent.
Matching or combining datasetsCombining data sets originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject.
Data concerning vulnerable data subjectsThis includes cases where there is an increased power imbalance between the data subjects and the data controller. Vulnerable data subjects may include, inter alia, children, employees, mentally ill persons, asylum seekers, the elderly and patients.
Innovative use or applying new technological or organisational solutionsThe GDPR makes it clear that the use of a new technology, defined in “accordance with the achieved state of technological knowledge”, can trigger the need to carry out a DPIA.
When the processing prevents exercising a right or using a service or contractThis includes processing operations that aims at allowing, modifying or refusing data subjects’ access to a service or entry into a contract.
  1. Evaluation or scoring. Profiling and predicting, especially from “aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements.
  2. Automated-decision making with legal effect. Processing that aims at taking decisions on data subjects producing legal effects or which similarly significantly affects them.
  3. Systematic monitoring. Processing used to observe, monitor or control data subjects, including data collected through networks or “a systematic monitoring of a publicly accessible area.
  4. Sensitive data or data of a highly personal nature. This includes special categories of personal data, personal data relating to criminal convictions or offences and other categories of data which are considered as sensitive because they are linked to household and private activities, or because they impact the exercise of a fundamental right or because their violation clearly involves serious impacts in the data subject’s daily life.
  5. Data processed on a large scale. When determining whether the processing is carried out on a large scale, the WP29 recommended considering: (i) the number of data subjects concerned; (ii) the volume and/or range of data items; (iii) the duration of the processing; and (iv) its geographical extent.
  6. Matching or combining datasets. Combining data sets originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject.
  7. Data concerning vulnerable data subjects. This includes cases where there is an increased power imbalance between the data subjects and the data controller. Vulnerable data subjects may include, inter alia, children, employees, mentally ill persons, asylum seekers, the elderly and patients.
  8. Innovative use or applying new technological or organisational solutions. The GDPR makes it clear that the use of a new technology, defined in “accordance with the achieved state of technological knowledge”, can trigger the need to carry out a DPIA.
  9. When the processing in itself “prevents data subjects from exercising a right or using a service or a contract. This includes processing operations that aims at allowing, modifying or refusing data subjects’ access to a service or entry into a contract.

The more criterias a data processing meets the more likely it is to present a high risk to the risk and freedoms of data subjects and therefore to require a DPIA and, in most cases and as a general rule, when a processing meets two criterias a DPIA is necessary.

However, that is not an absolute rule and whether a DPIA is necessary is a matter which needs to be evaluated on case by case basis. There are situations where a processing qualifies for many criterias and yet the controller can demonstrate that a DPIA is not required, and conversely there are cases where a processing which only assembles one criteria requires a DPIA because it presents a high risk.

When a data protection impact assessment is not mandatory

The WP29 considers that a DPIA is not required in the following cases:

  • where the processing is not likely to result in a high risk to the rights and freedoms of natural persons;
  • when the nature, scope, context and purposes of the processing are very similar to the processing for which DPIA have been carried out;
  • when the processing operations have been checked by a supervisory authority before May 2018 in specific conditions that have not changed;
  • where a processing operation is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority, provided that:
    • it has a legal basis in EU or Member State law, where the law regulates the specific processing operation;
    • a DPIA has already been carried out as part of the establishment of that legal basis, and
    • there is no exception from the relevant Member State which states that it is necessary to carry out a DPIA;
  • where the processing is included on the optional list (established by the supervisory authority) of processing operations for which no DPIA is required.

Furthermore, according to Recital 91 of the GDPR, the processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer. In such cases, a data protection impact assessment should not be mandatory.

Data protection impact assessment procedure

A single DPIA may concern a single data processing operation, multiple processing operations that are similar or the data protection impact of a technology product. It must be conducted prior to the processing and as established by Article 35.7 it shall include, at least, the following procedures:

  1. a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
  2. an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  3. an assessment of the risks to the rights and freedoms of data subjects which are likely to result in a high risk; and
  4. the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

It is an iterative procedure which the WP29 illustrated with this diagram:

Data protection impact assessment procedure diagram. GDPR privacy impact assessment PIA

As indicated by the WP29, the reference to “the rights and freedoms” of data subjects primarily concerns “the rights to data protection and privacy but may also involve other fundamental rights such as freedom of speech, freedom of thought, freedom of movement, prohibition of discrimination, right to liberty, conscience and religion.”

Furthermore, the GDPR also requires that, when assessing the impact of processing activities on the rights and freedoms of individuals, you also take into account compliance with codes of conduct.

Data protection impact assessment methodology

When it comes to the methodology to conduct a data protection impact assessment, whereas it is true that the GDPR does not requires you to follow any specific approach, it is highly recommended to follow ISO 31000 for the risk assessment and data protection authorities guidelines to plan and organise your DPIA and to assess the necessity and proportionality and the risks for the rights and freedoms.

You have the choice to select any methodology that you deem better suited for your business or to create your own, which means that you to scalate and shape the DPIA to your specific necessities and budget. Nonetheless, for a DPIA to be effective and in line with legality and European standards, the WP29 indicates that a methodology shall include, at least, the following criteria:

CRITERIADESCRIPTION
Description of the processingA systematic description of the following items is provided:

  • nature, scope, context and purposes of the processing;
  • record of personal data, recipients and retention periods;
  • the processing operation;
  • the assets on which personal data rely (hardware, software, networks,…); and
  • compliance with approved codes of conduct.
Necessity and proportionalityA description of the measures envisaged to comply with:

Risk managementFor each risk to confidentiality, integrity and availability of personal data, from the perspective of the data subject:

  • risks sources are taken into account;
  • potential impacts to the rights and freedoms of data subjects are identified in case of events including illegitimate access, undesired modification and disappearance of data;
  • threats that could lead to illegitimate access, undesired modification and disappearance of data are identified; and
  • likelihood and severity are estimated.

Measures envisaged to treat those risks are determined.

Involvement of interested parties
  • the advice of the DPO is sought;
  • the views of data subjects or their representatives are sought, where appropriate.

Description of the processing

A systematic description of the following items is provided:

  • nature, scope, context and purposes of the processing;
  • record of personal data, recipients and retention periods;
  • the processing operation;
  • the assets on which personal data rely (hardware, software, networks,…); and
  • compliance with approved codes of conduct.

Necessity and proportionality

A description of the measures envisaged to comply with:

Risk management

For each risk to confidentiality, integrity and availability of personal data, from the perspective of the data subject:

  • risks sources are taken into account;
  • potential impacts to the rights and freedoms of data subjects are identified in case of events including illegitimate access, undesired modification and disappearance of data;
  • threats that could lead to illegitimate access, undesired modification and disappearance of data are identified; and
  • likelihood and severity are estimated.

Measures envisaged to treat those risks are determined.

Involvement of interested parties

  • the advice of the DPO is sought;
  • the views of data subjects or their representatives are sought, where appropriate.

Finally, once the DPIA has been concluded, the DPIA and the processing it assesses need to be reviewed periodically or at least when there is a change of the risk posed by the processing the operation.

Notification of the DPIA to the supervisory authority

Once the likelihood of a threat and the impact thereof to data subjects has been assessed, you will get the value of the risk.

Where the risk value is high and you cannot implement controls to reduce that risk or the measures envisaged do not reduce the risk enough, then you have a high residual risk and you need to consult the supervisory authority prior to commencing the processing activity and communicate the data protection impact assessment. Thus is set outt by Article 36.1, which states:

The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

Regarding the content of the prior consultation, the GDPR requires you to provide, besides the data protection impact assessment, the following information:

  1. where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
  2. the purposes and means of the intended processing;
  3. the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to the Regulation;
  4. where applicable, the contact details of the data protection officer; and
  5. any other information requested by the supervisory authority.

Where the supervisory authority is of the opinion that the intended processing would infringe the Regulation, it shall, within a period of up to eight weeks of receipt of the request for consultation, provide you with written advice. Furthermore, the supervisory authority may also use any of its powers, including corrective powers.

What is the fine for failing to comply with DPIA obligations

Not conducting a DPIA when mandatory, conducting it inappropriately or not consulting the supervisory authority when necessary may expose your organisation to an administrative fine of up to 10 million euros or, if you are an undertaking, of up to 2% of the total worldwide turnover of the preceding financial year, whichever is higher.

CNIL data protection impact assessment tool

The CNIL released an open source PIA software which helps controllers to carry out data protection impact assessments.

The main languages to which the PIA is fully translated are French and English. However, it has been translated by the community to several other languages, like Spanish.

The data protection impact assessment tool from the CNIL can be downloaded and easy launched on a computer as a stand-alone version, or it can also be used on an organisation’s servers in order to integrate it with other tools and systems already used in-house.

You can access more information about this tool and download the CNIL PIA software from here.

Others also viewed…

Who does the GDPR apply to
GDPR representative in the EU. Personal data protection and privacy. European Union
GDPR data protection officer (DPO). When must be appointed, role, requirements, duties and salary
International data transfers. Transfers of data outside the EU
GDPR principles of data protection
Records of processing activities under the GDPR guidelines. Article 30. Templates and examples
special categories gdpr sensitive personal data
GDPR data subject rights
GDPR data protection impact assessment DPIA. Privacy
GDPR information security requirements and controls
GDPR fines and sanctions for breaching the law
GDPR and blockchain. Issues and solutions for ensuring compliance