Key References:

A. What is a DPIA:

  • Article 35 introduces the concept of DPIA.
  • No formal definition of a DPIA in the GDPR.
  • UK ICO definition: “Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.”
  • WP29 Guidelines explain: “A DPIA is a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them.”
  • Part of the Accountability Principle.

B. Who conducts a DPIA:

  • Data controllers and processors that engage in activities triggering a DPIA.
  • In consultation with designated DPO (Art. 35(2))

C. When to conduct a DPIA:

GDPR Article 35 states that a DPIA is mandatory when “processinglikely to result in a high risk to the rights and freedoms of natural persons“.

WP29 Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (wp248rev01) enumerate nine (9) criteria that indicate high risk processing and trigger a DPIA:

  1. Evaluation or scoring: e.g. credit reference screenings, behavioral or marketing profiles, genetic tests.
  2. Automated decision-making with legal or similar significant effect
  3. Systematic monitoring: e.g. systematic monitoring of a publicly accessible area.
  4. Sensitive data or data of a highly personal nature: e.g. data on health, political opinions, criminal convictions or offenses.
  5. Data processed on a large scale
  6. Matching or combining datasets e.g. data origination from different controllers or collected for different purposes.
  7. Data concerning vulnerable data subjects: e.g. situations of power imbalance between controllers and data subjects such as children, elderly, mentally ill, asylum seekers.
  8. Innovative use or applying new technological or organisational solutions, e.g. combining finger printing with facial recognition, use of “IoT” applications.
  9. Preventing data subjects from exercising a right or using a service or contract.

ICO Guidance on data processing likely to result in high risk and requiring a DPIA:

  1. Innovative technology
  2. Denial of service
  3. Large-scale profiling
  4. Biometrics
  5. Genetic data
  6. Data matching
  7. Invisible processing
  8. Tracking
  9. Targeting of children or other vulnerable individuals
  10. Risk of physical harm

D. Why Conduct a DPIA:

  • To Identify risk to data subjects
  • To Assess the severity of risk to data subjects,
  • To Mitigate the risk to data subjects by taking actionable measures.

E. How to Conduct a DPIA:

Art. 35(7) requirements

UK ICO on Key Elements of DPIA:

  • Step 1: Identify the need for a DPIA
    • Document the rationale for requiring DPIA.
  • Step 2: Describe the processing
    • Document the nature, scope, context and purposes of processing and categories that justify processing
    • Describe processes, systems, and data flows.
  • Step 3: Consider consultation
  • Step 4: Assess necessity and proportionality
    • Document the necessity of processing
    • Document whether risk in processing proportional to need for processing
  • Step 5: Identify and assess risks
    • Document risk to data subject such as loss of data, privacy, physical or emotional harm, discrimination, financial or health damage, reidentification.
  • Step 6: Identify measures to mitigate the risks
    • Document mitigation through tools such as RACI matrix (RACI: responsible, accountable, consulted, informed)
    • Document safeguards
    • Document plans for ongoing monitoring
  • Step 7: Sign off and record outcomes

F. Article 36 on Prior consultation with Supervisory Authority

  • WP29 Guidelines states that after completing a DPIA, when the residual risks remains high the data controller must consult the supervisory authority.
  • Art. 36 (1) The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
  • See also, Recital 94 on Consultation of the Supervisory Authority.