Article 35 of the General Data Protection Regulation (GDPR) stipulates that a Data Protection Impact Assessment (DPIA) should be carried out if the processing of data is likely to create a high risk. Although there is no definitive explanation of what exactly constitutes high risk, steps have been taken to provide clarification.
The previous EU Directive on data protection, Directive 95/46/EC, created a Working Party in order to advise groups as to what type of data processing could be considered high risk.
The GDPR also lists some areas that may be considered high risk. This includes areas such as profiling, automated decision making that has legal implications, the processing of sensitive data, and the use of new technology – however, it should be noted that the use of new technology does not, on its own, constitute high risk.
Article 35 calls for supervisory authorities to create and publish their own lists of data processing activities that will require DPIAs.
What is a DPIA?
A DPIA is an exercise that enables a business to examine the risk that may be associated with the processing of data and a way to review their procedures with GDPR compliance in mind. It is important that this assessment be carried out for “high risk” data processing, as risks need to be identified and mitigated against, in order for a business to comply with the GDPR. If no mitigation seems possible, the business must consult with the Lead Supervisory Authority (LSA), before processing the data.
“High risk” processing, for the purposes of DPIA requirements, includes the types of processing mentioned above, as well as “systematic monitoring of a publicly accessible area on a large scale”. This may mean that video recording to track footfall on a street outside of a retail location or to monitor car traffic in a publicly accessible place could require a DPIA.
There is no specific detailed process regarding how a DPIA should be carried out, but the GDPR has stipulated certain things that need to be included in a DPIA. These are:
- A full and systematic description of processing operations, why they are being undertaken, and why they are used.
- A full assessment of whether data processing is necessary and proportionate to gain the desired results.
- A full assessment of the risks involved with the processing of the data.
- A record of what mitigations are in place, in respect to the identified risks.
If the organization has a Data Protection Officer, which is a required position for groups with over 250 employees or for smaller groups which systematically process data, then this person must be involved in the DPIA.
In order to comply with Article 35 of the GDPR, there are certain processes that are best practice for a business to undertake.
- Data auditing so that the business is aware of what data is held, where it’s held, how it’s processed, and who is responsible for managing the processing. Each processing activity should have a designated person in charge in order to ensure accountability and promote compliance.
- Determining the best type of assessment for different types and areas of data processing. This is important as different assessments will be required for different high risk data types or different collection and processing needs. By using a more suitable approach in your DPIA, you can be more confident in its results and be more assured of your compliance with all of the necessary GDPR rules and standards.
- Investigate certifications and approved codes of conduct. Article 35 mentions that these can serve as a testament to the organization’s compliance and “shall be taken into due account in assessing the impact of the processing operations”
Once a business has examined all of this information, it will then be in a stronger position to execute DPIAs on the data that it processes.