Data protection, or privacy, impact assessments are used by organisations to identify, understand and address any privacy issues that might arise when developing new products and services or undertaking any other new activities that involve the processing of personal data.
The GDPR, which took effect from 25 May, mandates organisations to conduct DPIAs in specified circumstances, including where the processing would be "likely to result in a high risk to the rights and freedoms of natural persons"
The Data Protection Commission (DPC) recently published guidance (6-page / 343KB PDF) outlining 10 types of "processing operation" that it believes fall within the 'likely high risk' provisions.
The list includes where businesses wish to engage in large-scale customer profiling, or the systematic monitoring, tracking or observing of individuals' location or behaviour.
Other examples where DPIAs are mandated include where organisations plan on "profiling vulnerable persons including children to target marketing or online services at such persons" or to use "profiling or algorithmic means or special category data as an element to determine access to services or that results in legal or similarly significant effects". Businesses are also required to carry out DPIAs where they plan to carry out processing of biometric or genetic data in some circumstances.
In its guidance, the DPC said businesses should carry out a "documented screening or preliminary risk assessment" to determine whether their processing operations will trigger the need to undertake a full DPIA.
Out-Law.com asked the DPC to clarify the legal basis for this preliminary step. The watchdog provided a comprehensive response that highlights how the GDPR's provisions on DPIAs interact with its new duties on record keeping, under Article 30.
The DPC said: "In order to determine if a processing operation is high risk the data controller needs to go through a methodological process to identify the threats to data subjects and a calculation of the inherent risks involved. Clearly, if a processing operation is not high risk this can be easily recorded alongside the record keeping required for processing operations under Article 30."
"On the other hand, if a processing operation is complex then a full scale screening process may be required and it may in fact form the preliminary steps of a DPIA. Other less complex processing operations may not require such an in depth risk analysis. If this analysis step determines in fact that the risks are low and no further work on a DPIA is required then … this can be recorded with other Article 30 records," it said.
"Where the inherent risk calculation is determined to be high, the process will continue, may require stakeholder consultation and will involve identification of control measures and a recalculation of residual risk. So, screening is in fact in some cases the initial part of the DPIA process, but in others is a simpler and smaller step of recording risk and the decision not to conduct a DPIA proper that goes alongside the required GDPR Article 30 documentation," the DPC said.
In its guidance the DPC said it is "good practice to carry out a DPIA for any major new project involving the use of personal data, even if there is no specific indication of likely high risk". It also set out scenarios where businesses are not obliged to carry out a DPIA for their processing operations.
Examples it gave include if the processing has already been "authorised" by a "supervisory authority", or if the type of processing was "previously found not to be at risk by DPIA".