Some organisations are already familiar with using ‘data protection impact assessments’ or ‘privacy impact assessments’ (“PIAs”) as a way to identify and mitigate risks associated with personal data processing.
PIAs will become a key aspect of risk management from next May when the General Data Protection Regulation (“GDPR”) starts to apply. Data controllers will need to carry out a PIA if the processing is likely to result in a high risk and may, in certain circumstances, also need to consult with the supervisory authority.
The Article 29 Working Party (“WP29”) (a European advisory body on data protection and privacy) has proposed draft guidelines to help organisations determine when and how PIAs should be carried out under the new rules.
Key points of the guidelines are:
- Scope: The GDPR provides that a PIA may address a single data processing operation or a set of similar processing operations that present similar high risks. According to the guidelines, a single PIA could cover a group of municipal authorities using a similar CCTV system acting as separate controllers, or a single controller (a railway operator) using video surveillance in various locations (train stations).
- When is a PIA required? The GDPR requires a PIA to be carried out if processing is “likely to result in a high risk to the rights and freedoms of natural persons”. A PIA is required specifically where organisations use automated techniques such as profiling which produce legal effects for individuals or similarly significantly affect them, or process special categories of personal data (‘sensitive personal data’) or criminal offences data or monitor publicly accessible areas on a large scale. However, this list is non-exhaustive so a PIA may be necessary even if the processing falls outside one of these categories. A PIA broadly will not be required if the processing is not likely to result in a high risk, has already been authorised, has a legal basis or falls within the supervisory authority’s optional list of processing operations which do not require a PIA, subject to some caveats.
- What is meant by ‘high risk’? The GDPR does not define ‘high risk’. However, in the WP29’s view, a PIA will be required as a rule of thumb if the processing meets two or more of the following criteria:
- Evaluating or scoring individuals (for example, credit checks or genetic testing)
- Processing aimed at taking decisions on individuals which produce legal effects or similarly significantly affect individuals (for example, where it could lead to exclusion or discrimination)
- Processing used to observe, monitor or control data subjects (for example, monitoring employees’ work stations or internet activity)
- Sensitive data (i.e. in the broad sense, including location data and financial data)
- Processing on a large scale
- Processing datasets that have been matched or combined in a way that would exceed the reasonable expectations of the individual
- Processing data concerning vulnerable data subjects (for example, the data of employees, children or the elderly)
- Using new technology (for example, finger print scanning or face recognition)
- Transferring personal data outside the European Union
- Processing which prevents individuals from exercising a right or using a service or contract (for example, using credit checks to determine whether to grant a loan).
Alternatively, processing meeting less than two criteria may not require a PIA due to the perceived lower level of risk.
- How to carry out a PIA? The GDPR states that a PIA should be carried out “prior to the processing”. The WP29 says that this should be as early as practical in the design of the processing operation, even if some of the processing operations are still unknown. Although the WP29 considers that the PIA requirement applies to processing operations initiated after May 2018, it strongly recommends carrying out a PIA even for processing operations already underway prior to May 2018 – particularly if new technology has come into use or there is a change in risk. If the organisation has a DPO, their advice should be sought and documented. Annex 2 to the guidelines summarise what the PIA should cover.
- When do you need to consult the supervisory authority? The supervisory authority should be consulted if the risks identified by the controller cannot be sufficiently addressed or it cannot find sufficient measures to reduce the risks to an acceptable level. Member state law may also require consultation in certain circumstances if the processing relates to the performance of a task carried out in the public interest, including in relation to social protection or public health.