Understanding and Managing Privacy Impact Assessments

Under the GDPR, companies must not only comply with the high privacy standards but are also required to document compliance efforts and internal implementation of the legal requirements.

In case of complaints by EU customers or official investigations by EU data protection authorities, a comprehensive documentation is key for mitigating liability risks. Documentation requirements under the GDPR include, among others:

• The data controller should be able to demonstrate compliance with the principles of EU data protection laws.
• Depending on the complexity and privacy-sensitive nature of the data processing, the data controller should implement technical and organizational measures allowing it to demonstrate overall GDPR compliance.
• Where the processing is based on consent (and not, for example, legitimate interests), the data controller should be able to provide evidence that the data subject has given valid consent.
• The data processor (i.e. a vendor processing personal data on behalf of its B2B customers) should be able to demonstrate compliance with its obligations stemming from data processing agreements.
• With regard to certain business operations involving processing of personal data, data controllers must carry out “data protection impact assessments”, documenting GDPR compliance of the respective business activity.

With this article, we want to provide you with an overview of what you need to know regarding the last-mentioned “data protection impact assessments” (DPIA) pursuant to Article 35 GDPR.

What is a Data Protection Impact Assessment?

Conducting a DPIA is a process to assess risks for natural persons stemming from business activities which involve the processing of their personal information (risk identification), to determine measures for mitigating such risks (risk management), and to monitor implementation of such measures and to thereby ensure ongoing GDPR compliance (monitoring and review). At a first stage, the DPIA is purely internal. Approval of the DPIA by authorities is only required if it reveals high risks which cannot be mitigated through technical and organizational measures.

The DPIA process is mostly applied to new software, products, and employee surveillance programs. It can apply to data-driven business models like sharing economy products (extensive processing of location and accounting data), health and fitness apps or ad tech companies. It may also affect a company that, for example, rolls out a new data loss prevention system which requires to record and analyze all online workplace behavior.

Which business activities are subject to the DPIA requirement?

A DPIA is required where a type of processing “is likely to result in a high risk to the rights of freedoms of natural persons” (Article 35 GDPR). Risks to be considered may result from external sources (e.g. fraud, identity theft or blackmailing due to unauthorized disclosure of sensitive personal information) as well as from internal sources (e.g. discrimination due to algorithmic decisions).

Regarding the different roles of “data controllers” and “data processors” under the GDPR, it should be noted that the DPIA requirement addresses data controllers only. For example, a software vendor offering threat detection software to its business customers may not have to conduct a DPIA. It can be useful, however, to prepare a product-related DPIA as a basis for adaption for their customers. In the privacy-sensitive EU market, being prepared for helping customers with DPIAs can be a valuable sales argument.

Guidance by EU authorities

Following Guidelines by the European Data Protection Board (EDPB), 9 criteria should be considered for determining whether an internal business process, software solution or data-driven product is subject to a DPIA:

• Evaluation or scoring, including profiling and predicting, especially from aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements – e.g. behavioral profiling for purposes of marketing or employee performance monitoring.
• Automated-decision making with legal or similar significant effect – e.g. purely algorithmic decision on whether a contract is concluded with a consumer.
• Systematic monitoring: processing used to observe, monitor or control data subjects – e.g. comprehensive CCTV system for shops.
• Sensitive data or data of a highly personal nature – e.g. electronic patient files in a hospital.
• Data processed on a large scale – e.g. extensive web crawlers to collect personal information from social media platforms.
• Matching or combining datasets, for example originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject – e.g. direct marketing based on individual profiling with data from various sources.
• Data concerning vulnerable data subjects – e.g. online platforms specifically for children, ad targeting of people in weak econimic situations.
• Innovative use or applying new technological or organisational solutions, like combining use of fingerprint and face recognition for improved physical access control, etc.
• When the processing in itself “prevents data subjects from exercising a right or using a service or a contract”  – e.g. credit scoring of potential customers.

Blacklists by national authorities

As the wording of the GDPR is rather broad when it comes to defining the business activities subject to a DPIA, supervisory authorities published blacklists of the kind of processing operations for which a DPIA is. Since the authorities are national bodies of the EU member states, requirements may vary throughout the EU.

You can find the national blacklists in the following link list (all links lead to official servers). The documents are available in English language, if not indicated otherwise. Data controllers should review the blacklists of all member states in which they do business.

Some of the lists are still are not yet final as they're still undergoing an EU consistency process, in the course of which the EDPB issues an opinion on the national authority's decision. The lists may also generally be subject to changes by the competent authorities.

How to carry out a DPIA in practice?

According to the GDPR, the DPIA shall contain at least:

• a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
• an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
• an assessment of the risks to the rights and freedoms of data subjects; and
• the measures envisaged (a) to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and (b) to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned.

During the process, the data controller should:

• seek the view of data subjects or their representatives, where appropriate, e.g. by surveys and studies,
• seek view of the DPO, if applicable, particularly regarding the questions of (a) whether or not to carry out a DPIA, (b) what methodology to follow, (c) whether to carry out the DPIA in-house or whether to outsource it, (d) what safeguards to apply to mitigate risks, and (e) whether the DPIA and its finding are in compliance with the GDPR.  

The EDPB acknowledges various methodologies for carrying out a DPIA as long as they comply with the legal requirements of the GDPR, such as ISO/IEC 29134. Some authorities also provided helpful guidance, templates and tools:

• The supervisory authority of France published a software (also available in English language) which guides data controllers through the DPIA.
• The supervisory authority of the UK published a template for carrying out a DPIA as well as checklists of what needs to be considered for the process.
• The Guidelines by the European Data Protection Board provide general guidance and answers FAQs around DPIAs.