The privacy regulation (Regulation (EU) 2016/679) will be soon directly applicable on the entire European territory. Companies, public administrations and private citizens are in the final rush to comply with the dispositions of the new legislation.
In order to make it easier to understand a complex and articulated text such as the GDPR, we propose hereinafter a collection of simple factsheets, structured with a Q&A formula, that starting from known privacy concepts, give a first and brief guidance to the reading of the new legislation.
What is the Data Protection Impact Assessment?
The new Regulation on data protection (GDPR), obliges controllers to assess the risk to which their processing is likely to expose personal data and consequently the rights and freedoms of natural persons. The Data Protection Impact Assessment, (“DPIA”), is a “continuous process”(an “on-going process) which should be reviewed continuously and whenever there are substantial changes, which ultimately results in a list of activities carried out to assess risk deriving from processing and the means, tools and measures adopted to identify and minimise this risk.
When is it necessary to do a DPIA?
The controller must do a DPIA before beginning any kind of processing, namely in as early as possible a stage of the design of the processing operation where it is still possible to modify and take measures so as to mitigate the likely risk emerging from the assessment. Indeed, this obligation is part of the proactive security approach adopted by the GDPR, consisting of a series of preventive and precautionary tools of protection for the personal data processed.
Is it a mandatory obligation?
DPIAs are only mandatory in certain cases, i.e. in the case of: a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; b) processing on a large scale of special categories of data referred to in Art. 9(1), or of personal data relating to criminal convictions and offences referred to in Art.10; or c) a systematic monitoring of a publicly accessible area on a large scale (see “LINK Faq on DPO” for the concept of “large scale”). It is also provided for that the supervisory authority draws up and publishes a list of the kind of processing operations which are subject to the need for a DPIA.
And even in cases when it is not mandatory, a DPIA is a recommended measure, since it is a useful tool to allow the controller to identify likely situations of risk and to remedy them, before harming data subjects or infringing the law (also to demonstrate compliance with the GDPR).
Who has the obligation of conducting the DPIA?
The controller is responsible for making sure the DPIA is carried out. Another person inside or outside the organisation may carry out the DPIA. However, ultimate accountability for this obligation remains with the controller who should carefully monitor the assessment.
As the GDPR highlights, prior to the processing the controller should consult the Data Protection Officer and the processor. It is also provided for that, where appropriate, the controller (or the subject delegated to do the assessment) should seek the views of data subjects or their representatives about the intended processing. If after having sought the views of data subjects, the controller’s final decision differs from their views, its reasons for going ahead or not should be recorded.
How must a DPIA be carried out?
Whether the DPIA is mandatory or discretionary, it is necessary to perform a systematic description of the processing operations which are likely to result in high risk. For each processing (or category of processing), information will need to be collected on: a) the nature, scope, context and purposes of the processing; b) personal (and sensitive) data, data subjects and period for which the personal data will be stored; c) a functional description of processing operations and, in particular, data flows (i.e., disclosure by transmission, circulation or otherwise making the personal data available, transfer, specifying the recipients whether inside or outside the controller’s organisation); d) the assets on which personal data rely (hardware, software, networks, people, paper or paper transmission channels); e) subjects who might access the data together with the purposes of or reasons for this access.
Subsequently, it will be necessary to assess and describe whether the processing is necessary and proportionate in relation to the purposes and security measures adopted: for each processing, security measures to deal with the risk will need to be checked, including safeguards, security measures and tools to safeguard the protection of personal data.
Thanks to the documentation and information collected, it will be possible to get on with identifying the risks which the personal data are exposed to, analysing their life cycle and taking into account how they are used, the purposes which they are used for, if any new technologies are used and the subjects authorised to process them.
Once the risks have been identified, they will have to be managed. At this stage, it will be necessary to choose (where possible) whether a particular risk should be eliminated, mitigated or accepted.
Where do I keep my DPIA?
Results and observations from the DPIA should merge into a final report, where collected and examined information is presented in a systematic and functional way with measures and remedies adopted and implemented to address risks. The report should specify the name of the organisation or the project for which the DPIA has been carried out, the subjects or the team who have carried out the DPIA and the contact details of a the designated lead contact.
Focus: obligations relating to the DPIA
Even if it is not a legal requirement of the GDPR, in its Guidelines on DPIA adopted on 4th April 2017 and revised on 4th October 2017, Working Party Art. 29 (A29WP) recommends sharing the report (or parts of it – but only non-commercial/sensitive parts) to demonstrate accountability and transparency (and “to help foster trust in the controller’s processing operations”). This is especially encouraged for those organisations where members of the public are affected by the processing operation.
When the risks which have been identified have been successfully managed by the controller with a DPIA, the procedure can be considered concluded. On the contrary, whenever the identified risks cannot be sufficiently addressed by the controller (i.e. when the residual risks are still high), then the controller must consult the supervisory authority, in order to proceed with consultation prior to processing in accordance with Art. 36 of the GDPR.