Even before the GDPR, Privacy Impact Assessments (PIAs) were widely considered best practice by regulators. Many organizations included PIAs as part of their privacy management processes, as a matter of best practice even though this was not required by the EU Data Protection Directive (95/46/EC), the prececessor legislation to the GDPR. From 2018, the GDPR introduced a formal requirement for organizations, in their role as controllers, to conduct a Data Protection Impact Assessment (DPIA) or Privacy Impact Assessment (PIA) before undertaking any processing that presents a specific privacy risk by virtue of its nature, scope or purposes.
DPIAs are used to identify specific risks to the rights and freedoms of individuals as a result of data processing activities. It is required any time a controller begins a new project that is likely to involve “a high risk” to other people’s personal information.
The EDPB 1 has advised that where it is unclear whether or not to conduct a DPIA then one should be carried out, because a DPIA provides a useful tool to help comply with data protection law generally.
A DPIA is a process designed to help the data controller systematically analyze, identify and minimize the data protection risks of a project or plan. It is a key part of the accountability obligations under the GDPR.
A DPIA consists of:
– The proposed processing operations;
– An identification of the purposes of the processing;
– A description of the legitimate interest, if any, pursued by the controller;
– An assessment of the necessity and proportionality for the processing operations in relation to the purposes;
– An assessment of the risks to the rights and freedoms of data subjects;
– The measures envisaged to address the risks.
The EDPB identified a number of circumstances where a DPIA is not required:
– Where the processing is not “likely to result in a high risk of the rights and freedoms of natural persons”;
– When the nature, scope, context and purposes of the processing are very similar to the processing for which DPIA have been carried out;
– Where a processing operation has a legal basis in EU or Member State law, where the law regulates the specific processing operation and where a DPIA has already been carried out as part of that legal basis;
– Where the processing is included on the optional list (established by the supervisory authority) of processing operations.
In order to foster trust in the controller’s processing operations and demonstrate accountability and transparency, the controller can choose to publish its DPIA. The published DPIA does not need to contain the whole assessment but at least parts, such as a summary or a conclusion of the DPIA.
The Data Protection Officer (DPO) is a central figure in performing DPIAs. The controller is responsible for conducting the DPIA, but they need to seek advice from their DPO, who should review the DPIA and confirm that the risks have been appropriately accounted for and that the processing is acceptable.
The DPIA should be carried out before the processing activity is carried out. As such, it should be viewed as a tool for helping decision-making concerning the processing. The DPIA may need to be updated once the processing has actually started.
Under the GDPR, non-compliance with DPIA requirements can lead to fines imposed by the competent supervisory authority. Failure to carry out a DPIA when required may lead to a fine up to the greater of 2% of the organization’s annual global revenue or €10 million.
At the Law Office of S. Grynwajc we act as external DPOs for a number of US clients with operations in the EU or which have otherwise access to EU data for purposes of their business activities. As such, we help companies comply with their GDPR obligations, including performing DPIAs where required or advisable. Our team of dual US and EU qualified privacy lawyers are experts in EU data protection law, and therefore best equipped to help you comply with the GDPR and other EU and EU member state data protection laws.
Consequently, should you need to better understand your obligations under GDPR, please reach out! We’d love to help.
1 The European Data Protection Board is a body of the EU made up of the heads of the supervisory authority of each member state and the European Data Protection Supervisor responsible for ensuring the consistent application of data protection law.
