When is a data protection impact assessment required and how is it conducted?

When a type of processing is using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals, under the GDPR, the controller, prior to the processing, is required to conduct an assessment of the impact of these processing operations on the protection of personal data.  A data protection impact assessment (DPIA), in particular, is required when the following types of processing are conducted:

  • A systematic and extensive evaluation of personal aspects relating to an individual which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significantly affect the individual;
  • Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences; or
  • A systematic monitoring of a publicly accessible area on a large scale.

In addition, each supervisory authority must publish a list of additional kinds of processing operations which require that a DPIA be conducted prior to their taking place. 

The DPIA must contain at least:

  • A systematic description of the anticipated processing operations and the purposes of the processing including, where applicable, the legitimate interest pursued by the controller.  In describing the processing, include:
    • The nature of the processing (e.g., what type of data would be processed? For how long?)
    • The scope of the processing (e.g., how many persons are involved)
    • The context of the processing (e.g., would the processing allow precise conclusions to be drawn about private lives of individuals?)
    • The lawful basis for the processing (e.g., legitimate interests)
  • An assessment of the necessity and proportionality of the processing operations in relation to the purposes
    • Necessity
      • Identify any fundamental rights and freedoms limited by the processing
      • Define the objectives of the processing
      • Chose the objective that is effective and least intrusive for the rights at stake
    • Proportionality
      • Assess the importance of the objective and whether the processing meets the objective
      • ‘Fair balance’ evaluation (i.e., compare the constraints and lack of constraints on privacy and data protection)
      • If the processing is not proportionate, identify safeguards (e.g., reduce the scope or the extent of the processing)    
  • An assessment of whether the type of processing is likely to result in a high risk to the rights and freedoms of individuals
  • Determine the Threat Likelihood (from the perspective of the individual) due to:
    • Illegitimate access to personal data
    • Undesired modification of personal data
    • Disappearance of personal data
  • Determine the impact of the threat based on the severity of the harm that each threat – in the context of the processing activity – could have on an individual
  • Determine the Inherent Risk Level: (impact level) x (threat likelihood level)
  • The measures anticipated to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of individuals and other persons concerned
    • If the Inherent Risk Level is Medium or High, then the effectiveness of organizational and technical security measures is assessed to determine Residual Risk.
    • Determine the Residual Risk Level: (inherent risk level) x (measures effectiveness)
    • If the Residual Risk Level is High, then the anticipated processing should not proceed without consulting the supervisory authority; if the Residual Risk Level is Low, then the anticipated processing can proceed.  If the Residual Risk Level is Medium, then a review of the effectiveness of individual measures should be reviewed to determine whether or not the anticipated processing should proceed and whether the supervisory authority need to be consulted.

This blog is the 31st in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation.  Each of the bite size pieces is part of one of the eight topics in GDPRsimple.

Next blog:  What consultations should occur prior to high-risk processing?  

Leave a comment

Your email address will not be published. Required fields are marked *