Irish DPC Issued Draft List of Types of Data Processing Operations Which Require A DPIA

The Irish Data Protection Commission (DPC) has prepared a draft list of processing operations for which it considered mandatory to conduct a DPIA as well as factors which will lead to high risk. The controller has the obligation to conduct such assessment when its activity falls under the list. DPC guidance on steps to conduct DPIA is available online.

Overview

This list of processing operations is intended to cover both national and cross-border data processing and must be approved by the European Data Protection Board (EDPB) where the processing involves individuals in several member states or may substantially affect the free movement of data within EU. Currently, DPC website is still citing to the WP29 “high risk” list. OneTrust has published an article on this topic.

For additional details on the basis for this list see:

  • 35(1) – the processing is likely to result in high risk to the rights and freedoms of individuals. Using new technologies is likely to be the case
  • 35 (3) – automated decision-making
  • 35(4) – required by a data protection supervisory authority – a list of specific kinds of processing operation that are likely to result in a high risk to the right and freedoms of data subjects

Key points

While conducting a DPIA is highly recommended by DPAs and mandatory when processing activities may bring high risk to individual’s rights and freedoms, there are underlying burdens on businesses. The variation in DPA high risk factors may result in complexity for businesses with processing across several member states. This works against the harmonization that the GDPR sought to provide.

DPIAs for any processing activity

  • DPC is proposing that a DPIA is required if an organization engages in one of the 11 types of processing activities in the DPC’s ancillary list. In addition, the DPC recommends DPIA as good practice to be carried out in any processing activities. The Centre for Information Policy Leadership (CIPL), in its comment on the DPC Draft list, recommends that a DPIA is not necessary unless “a prescreening or preliminary risk assessment by the organization demonstrates that the processing operation is likely to result in a high risk to the rights and freedoms of individuals pursuant to Article 35(1).”

High-risk factors

  • DPC also provides factors that can lead to high risk processing. All of the factors are included in the EDPB (formerly WP29) factors except two added by the DPC. The two new factors are (1) Ex-EEA data transfers depending on the envisaged country of destination and the possibility of further onward transfers; and (2) Insufficient protection against unauthorized reversal of pseudonymization. CIPL raised its concern that if each individual DPA has their own list of high risk factors, it will bring barrier for organizations operating across the EU to implement and operationalize an efficient and coherent DPIA process within their organizations.

Conclusion

It is important to know when it is necessary to carry out a full DPIA and how to identify those activities with high risks. OneTrust automated assessments can help. OneTrust automated assessments make it simple to perform prescreening or preliminary risk assessments as well as capturing the full range of required details should a full DPIA be required.