Article 29 Working Party (WP29) Guidelines on Data Protection Impact Assessments

The Article 29 Working Party adopted on 4 April 2017 guidelines on Data Protection Impact Assessments (DPIAs) and determining whether processing is “likely to result in a high risk” for the purposes of the GDPR.

Whereas traditional risk management (e.g. information security) is focused on the organization, a DPIA under the GDPR is a tool for managing risks to the rights and freedoms of the data subjects. While this primarily concerns the right to privacy, it may also involve other fundamental rights.

The GDPR provides data controllers with flexibility to determine the precise structure and form of the DPIA, but the DPIA must be a genuine assessment of risk, allowing controllers to take measures to address them. It is designed to describe the processing activity, assess its necessity and proportionality, and to help manage any resulting risks to the rights and freedoms of individuals.

A DPIA is mandatory where a processing is “likely to result in a high risk.”

However, the Article 29 WP recommends carrying out a DPIA nonetheless as it is a useful tool to help data controllers comply with data protection laws.

Article 35(3) provides some examples of when processing is likely to result in high risk:

Supervisory authorities will also establish and communicate a list of processing operations that require a DPIA. In January 2017, the Belgian Supervisory Authority issued a draft of the list which was open for public comments.

A DPIA is not required when the processing:

How to carry out a DPIA?

It should be started as early as practicable in the design of the processing operation even if some of the processing operations are still unknown.
Every step of the DPIA process should be documented, and any decision not to conduct a DPIA should be supported by evidence of the reason for that decision.
Your DPIA should include, at a minimum:

WP29 recommends that you publish your DPIA to help foster trust in the your processing operations, and demonstrate accountability and transparency. The published DPIA does not need to contain the whole assessment; it can consist of a summary of the main findings.

When to consult the Supervisory Authority?

The data controller will be required to seek prior consultation for a processing from the supervisory authority when a DPIA reveals high residual risks.

Example of unacceptable high residual risk:

Where the data subjects may encounter significant, or even irreversible, consequences, which they cannot overcome, and/or when it seems obvious that the risks will occur.

Re-assess your DPIA

The DPIA should be reviewed when there is a change in the risk presented by the processing operation.

As a matter of good practice, a DPIA should be continuously carried out on existing processing activities. It should be reassessed after 3 years, maybe sooner, depending on the nature of the processing and the range of change in the processing operation and general circumstances.

Annex: Criteria for an acceptable DPIA

The WP29 proposes the following criteria which data controllers can use to assess whether or not a DPIA, or a methodology to carry out a DPIA, is sufficiently comprehensive to comply with the GDPR:

View complete analysis in the OneTrust Resource Center