16# Data Protection Impact Assessment

We have talked a lot about risks in this series, and this post will touch upon a critical feature of risks and the GDPR. Namely, the requirement to carry out a data protection impact assessment, or DPIA for short.

The DPIA is a handy tool to manage risks by identifying and mitigating high-risk processing, and to demonstrate compliance with the regulations. The assessment is not mandatory for every processing activity, there is a triggering DPIA threshold for processing that is likely to result in a high risk to the rights and freedoms of persons. A single assessment may also address a set of similar processing operations presenting similar high risks. So what is high risk?

To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals, taking into account the nature, scope, context, and purposes of the processing. Or an alternative description that we presented previously: their inherent characteristics, size and range, circumstances, and aims. The ideal scenario for any DPIA is that you identify a way to achieve the purpose of the processing activity without incurring any severe privacy risks. So that your processing goes from high risk to a lower risk type.

The WP29 noted that DPIAs are particularly relevant for the introduction of new technologies. When they did a legal investigation of the regulation’s articles and recitals, the WP29 found what I call the red flag list of inherent risks. They presented a total of nine criteria relevant for DPIAs:

• Evaluation or scoring; especially aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements.
• Automated-decision making with legal or similarly significant effect.
• Systematic monitoring.
• Sensitive data or data of a highly personal nature. Like special category data or criminal offence data. But also other data types due to their connection to household and private activities, their impact on the exercise of a fundamental right, or because it clearly involves serious impacts in the data subject’s daily life.
• Data processed on a large scale.
• Matching or combining datasets.
• Data concerning vulnerable data subjects. For example, children, employees, mentally ill persons, asylum seekers, the elderly, or patients.
• Innovative use or applying new technological or organisational solutions
• When processing prevents data subjects from exercising a right or using a service or a contract. I.e., any processing whose purpose is to allow, modify or refuse the data subjects with access to a service or entry into a contract, for example, processing credit information.

The ICO and the supervisory authorities around the EU have used these red flags when they decide on when a DPIA is required and when it is not. Here are the two lists from France’s CNIL, the former is about when a DPIA is required, and the latter is for when it isn’t. Here is the UK’s ICO’s list for when a DPIA is required.

We recommend that you do an initial scoping (Pre-Assessment or Privacy Threshold Assessment [PTA]) to determine if a DPIA is required, since a DPIA is quite demanding. The PTA should be in a format that indicates whether a full-scale DPIA is required and the reasons behind it. It should therefore focus on the red flag list, the list from your supervisory authority, and the potential high risk associated with the processing envisioned. A full-scale, standard, and well-structured DPIA on the other hand should include a systematic description of the processing, and assessments of:

1. The nature, scope, context, and purposes of the processing and the origin of the risks
2. The necessity and proportionality of the processing activity
3. Any risks to individuals
4. Any additional measures that could mitigate risks

You should document any decisions stemming from the DPIAs and PTAs, and review the assessments periodically to make sure that they are up-to-date. If you have a DPO or other consultancies, then their advice and recommendations should be documented. In DPOrganizer’s tool, there are templates for pre-assessment and a full-scale DPIA. Any assessment you conduct can be saved for reviews or showing accountability for as long as you deem necessary. DPOrganizer’s Professional Services Team can help you carry out any assessment.

What if you can’t mitigate the high risks that have been identified by any measures? Then you must consult your supervisory authority before processing, which means that the authority gives you written advice on processing. You should provide the supervisory authority with:

• The respective responsibilities of the controller, joint controllers, and processors involved in the processing, in particular for processing within a group of undertakings
• The purpose(s) and means of the intended processing
• The measures and safeguards to protect the rights and freedoms of data subjects
• The contact details of your data protection officer
• The DPIA report
• Any other information requested by the supervisory authority

As a matter of best practice, you should have the DPIA referenced in your internal documents where appropriate. You could also have a DPIA policy that would cover when you should do a DPIA (i.e., identifying, analysing, estimating, evaluating, and treating risks), the DPIAs content, roles, and responsibilities for DPIAs. If there are any other data protection stakeholders, they ought to be stated in the policy and included in the process.

So to summarise. A PTA is carried out for processing suspected that it will carry risk. If a high risk is likely then you do a full-scale DPIA, and if there still is a high-risk present that you can’t mitigate by safeguards, security measures and mechanisms, then you must consult with the supervisory authority.

If you have any questions, you can reach me by mail at albin.thelin@nulldporganizer.com, or throw a question to other privacy professionals over at Watercooler by DPOrganizer. Otherwise, you can join us next week when Anna is going to talk about Data Protection Officers!