What is a ‘Data Protection Impact Assessment’ (DPIA) under EU Law?

From CNIL’s guidelines on DIPAs available online through https://www.cnil.fr/en/home

Key points:

A Data Protection Impact Assessment (DPIA) is a process that identifies and minimizes data protection risks a project mandated by EU Data Protection Law.

DPIA’s must be performed for processing that is likely to result in a high risk to individuals (this includes some specified types of processing). It is also good practice to do a DPIA for any other major project which requires the processing of personal data.

A DPIA must: (i) describe the nature, scope, context and purposes of the processing; (ii) assess necessity, proportionality and compliance measures; (iii) identify and assess risks to individuals; and (iv) identify any additional measures to mitigate those risks.

To assess the level of risk, organizations must consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm.

Controllers should consult with (i) their data protection officer (if they have one) and, (ii) where appropriate, individuals and relevant experts. Processors may also need to assist the controller at this stage. If a controller identifies a high risk that cannot be mitigated, they must consult with the data protection authority before starting the processing.

Available through ICO website https://ico.org.uk/

European data protection law requires a DPIA before starting a project that involves processing likely to result in high risk to individuals’ rights and freedoms. If the DPIA identifies a high risk that cannot be mitigated, organizations must consult the data protection authorities. This is a key part of the new focus on accountability and data protection by design.

Under Article 35 of GDPR:

Art. 35 GDPR Data protection impact assessments

1.Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

2. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.

3. A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:

(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;

(b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or

(c) a systematic monitoring of a publicly accessible area on a large scale.

4. The supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory authority shall communicate those lists to the Board referred to in Article 68.

5. The supervisory authority may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. The supervisory authority shall communicate those lists to the Board.

6. Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism referred to in Article 63 where such lists involve processing activities which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal data within the Union.

7. The assessment shall contain at least:

(a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

(b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

(c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and

(d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

8. Compliance with approved codes of conduct referred to in Article 40 by the relevant controllers or processors shall be taken into due account in assessing the impact of the processing operations performed by such controllers or processors, in particular for the purposes of a data protection impact assessment.

9. Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.

10. Where processing pursuant to point (c)or (e) of Article 6(1) has a legal basis in Union law or in the law of the Member State to which the controller is subject, that law regulates the specific processing operation or set of operations in question, and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not apply unless Member States deem it to be necessary to carry out such an assessment prior to processing activities.

11. Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.

NOTE:

• DPIAs conducted by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or execution of criminal penalties are regulated by Article 27 of Directive (EU) 2016/680 and the requirements may vary according to member state law.

Available through ICO website https://ico.org.uk/

A DPIA is a tool to systematically and comprehensively analyse processing to identify and minimize data protection risks. DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm — to individuals or to society at large, whether it is physical, material or non-material. To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals.

DPIAs are mandatory before beginning any type of processing that is “likely to result in a high risk”. In particular, the GDPR says a DPIA is required when an organization plans to:

• use systematic and extensive profiling with significant effects;
• process special category or criminal offense data on a large scale; or
• systematically monitor publicly accessible places on a large scale.

Several Supervisory Authorities have issued guidelines identifying additional situations where a DPIA is required.

The EDPB has issued European guidelines defining nine criteria of processing operations likely to result in high risk.

The guidelines suggest that, in most cases, any processing operation involving two or more of these criteria requires a DPIA.

Available through ICO website https://ico.org.uk/

Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data because DIPAs can create compliance, financial and reputational benefits, and help organizations demonstrate accountability and building trust and engagement with customers.

A DPIA should begin early in the life of a project, before processing begins, parallel to the planning and development process.

A DPIA should include these nine steps:

Available through ICO website https://ico.org.uk/

Available through ICO website https://ico.org.uk/

DPIA’s must be embedded into organizational processes, and the outcome should meaningfully influence development. A DPIA is not a one-off exercise but an ongoing process that is subject to regular review.

The process should be designed to be flexible and scalable.

• Organizations must seek the advice of their data protection officer (if they have one) and consult with individuals and other stakeholders throughout this process.
• A DPIA does not have to indicate that all risks have been eradicated but it should document them and assess whether or not any remaining risks are justified.
• A DPIA may cover a single processing operation or a group of similar processing operations. A group of controllers can conduct a joint DPIA.
• Although publishing a DPIA is not required under EU data protection law, organizations should actively consider the benefits of publication. In addition to demonstrating compliance, publication can help engender consumer trust and confidence.

Organizations must consult their Data Protection Authority if the DPIA identifies a high risk that cannot be reduced through appropriate measures. In such a case, processing cannot begin until the Data Protection Authority is consulted. . The process to submit the DPIA and receive feedback may vary depending on the policies of the particular authority that will be consulted.

RELATED CONCEPTS

A Privacy Impact Assessment (PIA) is a process of for identifying, assessing and mitigating privacy risks for a specific product, service or system. Under US law, PIAs are mandatory in some cases in the public sector and are routinely conducted by various sub-agencies of the US Department of Homeland Security (DHS), and by many others. PIA’s are also considered best practices in the private sector in many countries and may be mandated in some cases by existing law.

Examples of PIA’s conducted by the public sector:

• PIA for the Systematic Alien Verification for Entitlements (SAVE) Program conducted in 2011 by DHS
• PIA for the Verification Information System Supporting Verification Programs conducted in 2007 by DHS

ADDITIONAL RESOURCES

Legal citations

Relevant provisions in the GDPR — See Articles 35 and 36 and Recitals 74–77, 84, 89–92, 94 and 95

From regulators

• WP29 produced guidelines on data protection impact assessments, which have been endorsed by the EDPB.
• CNIL guidelines on DPIAs
• ICO sample DPIA template.
• ICO’s detailed guidance on DPIA’s.
• If processing for law-enforcement purposes: ICO’s Guide to Law Enforcement Processing.
• The French #GDPR regulator @CNIL_en launched open source PIA software (available in English too) Jun 2019 to help to carry out data protection impact assessments:

Other

When to conduct a DPIA under GDPR: EDPB and the consistency mechanism at work by Dr. Kuan Hon

From lawfirms:

• FieldFisher National DPIA blacklist