In its paper, which is open to consultation until 23 May, The Article 29 Working Party said that hospitals intending to process patients’ genetic and health data would be required to carry out a DPIA under the General Data Protection Regulation (GDPR), as would businesses deploying employee monitoring technologies or intending to gather "public social media profiles data" for the purpose of "generating profiles for contact directories".
However, the Working Party also gave examples of data processing that would "not necessarily" trigger the need for a DPIA. Those cases include where magazines plan to use mailing lists to send daily digests to subscribers, or where websites plan to use visitors' "past purchases behaviour" involving “limited profiling” for the purpose of serving adverts, it said.
Data protection, or privacy, impact assessments are used by organisations to identify, understand and address any privacy issues that might arise when developing new products and services or undertaking any other new activities that involve the processing of personal data.
In the UK, the Data Protection Act (DPA) does not oblige organisations to conduct privacy impact assessments, but the ICO has said they are useful 'best practice' tools for organisations to use and has issued guidance on how organisations can get the most from such assessments.
However, under the GDPR, organisations will be obliged to carry out DPIAs if their planned processing involves: "a systematic and extensive evaluation" of personal aspects based on automated processing, including profiling, resulting in decisions that significantly affect individuals; large scale processing of sensitive data or data on criminal convictions/offences; or systematic large scale monitoring of a publicly accessible area, such as through the use of CCTV.
The Regulation also requires DPIAs to be undertaken if planned data processing activities are otherwise "likely to result in a high risk to the rights and freedoms of natural persons".
In addition to the examples it outlined in its draft guidance, the Working Party set out criteria designed to help businesses determine whether they need to conduct a DPIA for planned data processing activities because a 'high risk' is likely.
In line with the GDPR, it said businesses should consider whether their processing involves evaluating or scoring individuals, automated decision making with legal or similar significant effects on data subjects, systematic monitoring, or the processing of sensitive data, including medical records, financial data or location data.
Other criteria to consider includes whether data would be processed on a large scale, involves the matching or aggregation of datasets, or concerns "vulnerable data subjects" where there is a power imbalance, including employees, children and the elderly, it said. In addition, businesses should consider if their processing would involve using innovative technologies, the transfer of personal data outside of the EU, and whether or not the processing "prevents data subjects from exercising a right or using a service or a contract", the Working Party said.
If two or more of the criteria are engaged then businesses would generally be expected to conduct a DPIA under the GDPR, it suggested. However, the obligation to undertake a DPIA might apply even if only one of the criteria applies to organisations' planned data processing activities.
"The more criteria are met by the processing, the more likely it is to present a high risk to the rights and freedoms of data subjects, and therefore to require a DPIA," the Working Party said. "As a rule of thumb, a processing operation meeting less than two criteria may not require a DPIA due to the lower level of risk, and processing operations which meet at least two of these criteria will require a DPIA."
"However, in some cases, a processing meeting only one of these criteria will require a DPIA. Conversely, if the controller believes that despite the fact that the processing meets at least two criteria, it is considered not to be 'likely high risk', he has to thoroughly document the reasons for not carrying out a DPIA," it said.
The Working Party said, however, that businesses may not have to carry out separate DPIAs for every data processing activity considered 'likely to result in a high risk'.
"A single DPIA could be used to assess multiple processing operations that are similar in terms of the risks presented, provided adequate consideration is given to the specific nature, scope, context and purposes of the processing," the Working Party said.
"This might mean where similar technology is used to collect the same sort of data for the same purposes. For example, a group of municipal authorities that are each setting up a similar CCTV system could carry out a single DPIA covering the processing by these separate controllers, or a railway operator (single controller) could cover video surveillance in all its train stations with one DPIA," it said.
Businesses should review the DPIAs they carry out "when there is a change of the risk presented by the processing operation", and at least every three years as general good practice, it said.
Data protection and technology law expert Dr Kuan Hon of Pinsent Masons, the law firm behind Out-Law.com, said that it was helpful that the Working Party guidance had expanded on what is meant by 'large scale' data processing, which is not defined in the GDPR, and had summarised the situations where a DPIA is not required, as well as suggested DPIA methodologies and clarified that data protection authorities should be consulted following a DPIA only where the residual risks are high, or in other words still high after mitigating measures identified via the DPIA to manage the privacy risks properly have been taken.
"The draft guidance also confirms that, strictly, DPIAs need not be published and, if published, need not contain the full assessment, for example commercially sensitive information or specific security risks may be excluded from the published version," Hon said. "However, the Working Party is right to point out that if a data controller considers a processing is not 'likely high risk', it should 'thoroughly document' the reasons for not carrying out a DPIA. This might also be desirable for the controller in more situations than the processing meeting at least two of the criteria stated."
Kuan said, though, that an aspect of the draft guidance might be misleading.
"The GDPR positively requires DPIAs in three specific situations listed and also in other 'likely high risk' situations, whereas the draft guidance might be taken to suggest that the criteria mentioned in the draft, which overlap, but only partly, with the three situations specified under the GDPR, were the main determinants," Hon said.
Hon also said that it is unclear whether businesses must conduct DPIAs for processing operations that were already in train before May 2018.
"While the draft seeks to address the position regarding such processing, 'strongly' recommending DPIAs for existing processing, and certainly when the privacy risks involved in the processing change, it does not go as far as stating definitively either way that DPIAs must – or alternatively need not – be conducted for such existing processing operations," Hon said.