Article 29 Working Party (WP29) Guidelines on Data Protection Impact Assessments

The Article 29 Working Party adopted on 4 April 2017 guidelines on Data Protection Impact Assessments (DPIAs) and determining whether processing is “likely to result in a high risk” for the purposes of the GDPR.

Whereas traditional risk management (e.g. information security) is focused on the organization, a DPIA under the GDPR is a tool for managing risks to the rights and freedoms of the data subjects. While this primarily concerns the right to privacy, it may also involve other fundamental rights.

The GDPR provides data controllers with flexibility to determine the precise structure and form of the DPIA, but the DPIA must be a genuine assessment of risk, allowing controllers to take measures to address them. It is designed to describe the processing activity, assess its necessity and proportionality, and to help manage any resulting risks to the rights and freedoms of individuals.

A DPIA is mandatory where a processing is “likely to result in a high risk.”

However, the Article 29 WP recommends carrying out a DPIA nonetheless as it is a useful tool to help data controllers comply with data protection laws.

Article 35(3) provides some examples of when processing is likely to result in high risk:

  • “(a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person10;
  • (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 1011; or
  • (c) a systematic monitoring of a publicly accessible area on a large scale.”

Supervisory authorities will also establish and communicate a list of processing operations that require a DPIA. In January 2017, the Belgian Supervisory Authority issued a draft of the list which was open for public comments.

A DPIA is not required when the processing:

  • Is not “likely to result in a high risk to the rights and freedoms of natural persons,”
  • Has already been authorized,
  • Has a legal basis in an EU or Member State law that has stated that an initial DPIA does not have to be carried out,
  • When the nature, scope, context and purposes of the processing are very similar to a processing for which a DPIA has been carried out,
  • When the processing is on the optional list established by the supervisory authority of processing operations for which no DPIA is required

How to carry out a DPIA?

It should be started as early as practicable in the design of the processing operation even if some of the processing operations are still unknown.
Every step of the DPIA process should be documented, and any decision not to conduct a DPIA should be supported by evidence of the reason for that decision.
Your DPIA should include, at a minimum:

  • a description of the envisaged processing operations and the purposes of the processing;
  • an assessment of the necessity and proportionality of the processing;
  • an assessment of the risks to the rights and freedoms of data subjects;
  • the measures envisaged to:
    • address the risks; and
    • demonstrate compliance with the GDPR

WP29 recommends that you publish your DPIA to help foster trust in the your processing operations, and demonstrate accountability and transparency. The published DPIA does not need to contain the whole assessment; it can consist of a summary of the main findings.

When to consult the Supervisory Authority?

The data controller will be required to seek prior consultation for a processing from the supervisory authority when a DPIA reveals high residual risks.

Example of unacceptable high residual risk:

Where the data subjects may encounter significant, or even irreversible, consequences, which they cannot overcome, and/or when it seems obvious that the risks will occur.

Re-assess your DPIA

The DPIA should be reviewed when there is a change in the risk presented by the processing operation.

As a matter of good practice, a DPIA should be continuously carried out on existing processing activities. It should be reassessed after 3 years, maybe sooner, depending on the nature of the processing and the range of change in the processing operation and general circumstances.

Annex: Criteria for an acceptable DPIA

The WP29 proposes the following criteria which data controllers can use to assess whether or not a DPIA, or a methodology to carry out a DPIA, is sufficiently comprehensive to comply with the GDPR:

  • A systematic description of the processing is provided (Article 35(7)(a)):
    • nature, scope, context and purposes of the processing are taken into account (recital 90);
    • personal data, recipients and period for which the personal data will be stored are recorded;
    • a functional description of the processing operation is provided;
    • the assets on which personal data rely (hardware, software, networks, people, paper or paper transmission channels) are identified;
    • compliance with approved codes of conduct is taken into account (Article 35(8));
  • Necessity and proportionality are assessed (Article 35(7)(b)):
    • measures envisaged to comply with the Regulation are determined (Article 35(7)(d) and recital 90), taking into account:
      • measures contributing to the proportionality and the necessity of the processing on the basis of:
        • specified, explicit and legitimate purpose(s) (Article 5(1)(b));
        • lawfulness of processing (Article 6);
        • adequate, relevant and limited to what is necessary data (Article 5(1)(c));
        • limited storage duration (Article 5(1)(e));
      • measures contributing to the rights of the data subjects:
        • information provided to the data subject (Articles 12, 13 and 14);
        • right of access and portability (Articles 15 and 20);
        • right to rectify, erase, object, restriction of processing (Article 16 to 19 and 21);
        • recipients;
        • processor(s) (Article 28);
        • safeguards surrounding international transfer(s) (Chapter V);
        • prior consultation (Article 36).
  • Risks to the rights and freedoms of data subjects are managed (Article 35(7)(c)):
    • origin, nature, particularity and severity of the risks are appreciated (cf. recital 84) or, more specifically, for each risk (illegitimate access, undesired modification, and disappearance of data) from the perspective of the data subjects:
      • risks sources are taken into account (recital 90);
      • potential impacts to the rights and freedoms of data subjects are identified in case of illegitimate access, undesired modification and disappearance of data;
      • threats that could lead to illegitimate access, undesired modification and disappearance of data are identified;
      • likelihood and severity are estimated (recital 90);
    • measures envisaged to treat those risks are determined (Article 35(7)(d) and recital 90);
  • Interested parties are involved:
    • the advice of the DPO is sought (Article 35(2));
    • the views of data subjects or their representatives are sought (Article 35(9)).

View complete analysis in the OneTrust Resource Center