In April 2017, the Article 29 Working Party (WP29) released guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is likely to result in a “high risk” in an effort to help companies understand the new Data Protection impact assessment requirement introduced by the GDPR in Article 35 and Regulation 2016/679. The guidelines were open for public comments until 23 May 2017 and the revised version was published a few days ago.
Overall, the revised version does not contain any major changes from the original one and most of the changes are no more than language tweaks. However, there are a few noticeable ones (detailed below):
- The Working Party reinforces the importance of the risk-based approach in data protection frameworks
- Changes to the criteria to consider when determining whether a processing operation is likely to result in high risk
- Additional practical examples
- DPIAs are required in some circumstances for existing processing operations
- The explicit three-year re-assessment requirement was removed
- Bigger role given to the CISO
WP29 reinforces the importance of the risk-based approach in data protection frameworks
Section III of the guidelines now starts with a half-page long emphasis on risks in the context of data protection. The obligation for controllers to conduct a DPIA should be understood “against the background of their general obligation to appropriately manage risks” to the rights and freedoms of individuals. Rights and freedoms of data subjects concerns primarily the rights to data protection and privacy but also involve other fundamental rights such as freedom of speech, freedom of thought, freedom of movement, prohibition of discrimination, right to liberty, conscience and religion. Controllers must continually assess the risks associated to a particular processing activity in order to identify when it may result in a high risk. The risks for each processing operation have to be identified, analysed, estimated, evaluated and mitigated and controllers cannot escape their responsibility by covering risks under insurance policies.
Changes to the criteria to consider when determining whether a processing operation is likely to result in high risk
In order to help companies determine whether a particular processing operation is likely to result in a high risk, the Article 29 Working Party provides a list of criteria to consider. The list went from 10 criteria down to nine and some of the criteria have been specified: “Sensitive data” is now “Sensitive data or data of highly personal nature,” thus expanding the scope of this criterion. The new guideline adds for this criterion that “beyond the provisions of the GDPR, some categories of data can be considered as increasing the possible risk to the rights and freedoms of individuals. These personal data are considered as sensitive (as this term is commonly understood) because they are linked to household and private activities (such as electronic communications whose confidentiality should be protected), or because they impact the exercise of a fundamental right (such as location data whose collection questions the freedom of movement) or because their violation clearly involves serious impacts in the data subject’s daily life (such as financial data that might be used for payment fraud)”. It is interesting to note that the criterion that was removed is “data transfer across borders outside the European Union.”
Additional practical examples
Below the list of criteria, the guidelines include a table with examples of processing and the possible relevant criteria to consider for each. The revised version now offers additional examples:
Example of processing 1
- An institution creating a national level credit rating or fraud database
Possible relevant criteria
- Evaluation or scoring
- Automated decision making with legal or similar significant effect
- Prevents data subject from exercising a right or using a service or a contract
- Sensitive data or data of a highly personal nature
Example of processing 2
- Storage for archiving purpose of pseudonymised personal sensitive data concerning vulnerable data subjects of research projects or clinical trials
Possible relevant criteria
- Sensitive data
- Data concerning vulnerable data subjects
- Prevents data subjects from exercising a right or using a service or a contract
Example of processing 3
- A processing of “personal data from patients or clients by an individual physician, other health care professional or lawyer” (Recital 91).
Possible relevant criteria
- Sensitive data or data of a highly personal nature
- Data concerning vulnerable data subjects
DPIAs are required in some circumstances for existing processing operations
While the first version of the guidelines stated that the requirement to carry out a DPIA applies to processing operations meeting the criteria in Article 35 and initiated after the GDPR takes effect on 25 May 2018, the new version now mentions that the requirement to carry out a DPIA applies to existing processing operations likely to result in a high risk to the rights and freedoms of natural persons and for which there has been a change of the risks, taking into account the nature, scope, context and purposes of the processing. It also adds that a DPIA is not needed for processing operations that have been checked by a supervisory authority or the data protection official, in accordance with Article 20 of Directive 95/46/EC, and that are performed in a way that has not changed since the prior checking.
The explicit three-year re-assessment requirement removed
While there is no change in position regarding the fact that a DPIA, in order to serve its purpose, must be continuously carried out on existing processing activities so as to identify potential changes that would result in a high risk, it is interesting to note that the requirement to re-assess each DPIA after three years is no longer included in the October version, which now only states that as a matter of good practice, a DPIA should be continuously reviewed and regularly re-assessed.
Bigger role given to the CISO
A minor, but nonetheless significant, change appeared in the recommendation to define and document specific roles and responsibilities within the organisation, depending on internal policy, processes and rules. In the new guidelines, the Chief Information Security Officer (CISO) – if appointed – could suggest that the controller carries out a DPIA on specific processing operation, and should help the stakeholders on the methodology, help to evaluate the quality of the risk assessment and whether the residual risk is acceptable, and to develop knowledge specific to the data controller context. Only the DPO was included for this task in the previous version.
