Article 35 of the GDPR provides for Data Protection Impact Assessments (DPIA). According to Article 35(1) a DPIA is required when “the processing [of data] is likely to result in a high risk to the rights and freedoms of natural persons.” A DPIA should be carried out “prior to the processing” (Articles 35(1) and 35(10), and recitals 90 and 93).
According to “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679” prepared by the Article 29 Data Protection Working Party, as last revised and adopted on 4 October 2017, where a likely high risk processing is planned, the data controller must choose a DPIA methodology (examples given in Annex 1 [of these Guidelines: Examples of existing EU DPIA frameworks]) that satisfies the criteria in Annex 2 [of these Guidelines: Criteria for an acceptable DPIA], or specify and implement a systematic DPIA process that:
- is compliant with the criteria in Annex 2;
- is integrated into existing design, development, change, risk and operational review processes in accordance with internal processes, context and culture;
- involves the appropriate interested parties and clearly define their responsibilities (controller, DPO [Data protection officer], data subjects or their representatives, business, technical services, processors, information security officer, etc.);
- provide the DPIA report to the competent supervisory authority when required to do so;
- consult the supervisory authority when they have failed to determine sufficient measures to mitigate the high risks;
- periodically review the DPIA and the processing it assesses, at least when there is a change of the risk posed by processing the operation; document the decisions taken.
What information is needed for preparation of a DPIA? Article 35(7) and recital 90 of the GDPR set out the minimum requirements for a DPIA:
- a systemic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects…; and
- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation…
A DPIA can include a description of the process and project, the personal information, how it is obtained and used, who will have access to the information, information about storage and deletion of the data, identifying the privacy and related risks and evaluating privacy solutions, and information about the decisions to eliminate, mitigate, or accept the identified risks.
Methodologies, guidelines and templates for preparing DPIAs are available. ISO/IEC 29134:2017 describes a process on privacy impact assessments (PIA), and a structure and content of a PIA report. National Institute of Standards and Technology (NIST) Technology Innovation Program includes information about privacy impact assessments (PIA). The European Data Protection Board, other organizations, trade groups and independent business and vendors, have and will continue to provide guidance, tools, checklists and templates.
It remains to be seen how the market for “off the shelf” and “do it yourself” DPIA’s and templates grows and how these are treated by the European Data Protection Board especially when they are used by SMEs.
A DPIA will need to be reviewed periodically and factors that are to be considered in the timing of review, revision and updating of the DPIA are the types of data collected, changes in the use of data, the industry, changes in software, hardware, procedures, technology, vendors, customers and processors, guidance, and guidelines and law.
Initially and likely for many years there will be gray areas where there will be disagreement inside and outside of an organization about whether a DPIA is required. Even if the analysis shows that a DPIA is not required, in a number of situations it will be good practice to prepare, review and update a DPIA. Reasons for doing this include:
- whether it is best practice in the industry;
- do clients, customers and contracts require one; and
- especially in the United States, will insurance carriers require or prefer that DPIAs be in place. The existence of a DPIA or a DPIA like document may be a required or suggested by other legislation, regulatory agencies and other regulations such as other privacy regulations and laws concerning protection of financial information.