When Is a DPIA Necessary? A Guide for Businesses
A Data Protection Impact Assessment is a process designed to describe the processing of personal data, determine its purposes and proportionality and to identify risks with the aim of preventing them from having an impact on the rights and freedoms of natural persons.
The European legislation mandates organizations to perform a DPIA if processing of data on a large scale is likely to result in a high risk to the rights and freedoms of individuals.
According to the General Data Protection Regulation, there are three types of processing that will always require a DPIA:
- sensitive data processed on a large scale
- publicly accessible places systematically monitored on a large scale
- automated processing (including profiling) used for decisions that produce legal effects concerning individuals
While the GDPR fails in defining high risk/large scale and determining who is at risk proves rather difficult, European member states through their regulating authorities have taken matters into their own hands. Countries such as France, Germany, Italy, Estonia, Hungary, Romania, The Netherlands, etc., have published (draft) lists containing data processing activities that could be subject to a Data Protection Impact Assessment. In other words, conducting a DPIA could become an accountability obligation depending on the jurisdiction applicable to the state where data is collected, processed, stored, etc.
In the Article 29 of The Working Party on the Protection of Individuals with regards to the processing of personal data, 9 criteria (processing operations) are referred to as potential subjects to DPIAs due to their inherent high risk:
- Analyzing, profiling and predicting aspects such as economic state, health, personal interests, behavior, local, movements
- Decisions based on automated processes
- Collecting personal data on a large scale through systematic monitoring of a publicly accessible area without explicitly prior informing the subjects about the reasons and purposes
- Processing highly sensitive data such as medical data, individuals’ political opinions, criminal convictions, etc.
- Data processed on a large scale
- Combining two data sets which were initially collected and intended for different purposes
- Processing of data belonging to vulnerable individuals
- Processing data using innovative technologies of which the social consequences are not yet established
- Processing data results in preventing individuals from exercising their rights, using a service or a contract
Conducting a DPIA is not an easy task, however, apart from converting into a legal obligation, this risk assessment can also prove highly beneficial to organizations specifically to those that are constantly introducing new elements or updating their processing activities.