Data Protection

Impact Assessment
 What is a DPIA - Quick Statute check
GDPR Article 35(1), (4) &(5):

“Where a type of processing in particular using new technologies, and taking into account the
nature, scope, context and purposes of the processing, is likely to result in a high risk to the
rights and freedoms of natural persons, the controller shall, prior to the processing, carry out
an assessment of the impact….”

"The supervisory authority shall establish and make public a list of the kind of processing
operations which are subject to the requirement for a data protection impact assessment
pursuant to paragraph 1. The supervisory authority shall communicate those lists to the Board
referred to in Article 68."

"The supervisory authority may also establish and make a public a list of the kind of
processing operations for which no data protection impact assessment is required. The
supervisory authority shall communicate those lists to the board."
 Recital 90 - Data Protection Impact Assessment

● a data protection impact assessment should be carried out by the controller

prior to the processing in order to assess the particular likelihood and severity
of the high risk, taking into account the nature, scope, context and purposes
of the processing and the sources of the risk.

● That impact assessment should include, in particular, the measures,

safeguards and mechanisms envisaged for mitigating that risk, ensuring the
protection of personal data and demonstrating compliance with this
Regulation.
 Recital 91 - Necessity of a Data Protection Impact Assessment
Data Protection Impact Assessment (DPIA):

apply to large-scale processing operations which aim to process a considerable amount of personal data at
regional, national or supranational level and which could affect a large number of data subjects and which are
likely to result in a high risk.

should also be made where personal data are processed for taking decisions regarding specific natural persons
following any systematic and extensive evaluation of personal aspects relating to natural persons based on
profiling those data or following the processing of special categories of personal data, biometric data, or data on
criminal convictions and offences or related security measures
 DPIA - When required?
A DPIA is required whenever processing is likely to
result in a high risk to the rights and freedoms of
individuals. A DPIA is required at least in the following
cases:

● a systematic and extensive evaluation of the

personal aspects of an individual, including
profiling;
● processing of sensitive data on a large scale;
● systematic monitoring of public areas on a large
scale.

Source - https://ec.europa.eu/
 DPIA - When required?
Following criteria should be considered.

1. Evaluation or scoring, including profiling and predicting, especially from “aspects concerning
the data subject's performance at work, economic situation, health, personal preferences or
interests, reliability or behavior, location or movements” (recitals 71 and 91)

1. Automated-decision making with legal or similar significant effect: processing that aims at
taking decisions on data subjects producing “legal effects concerning the natural person” or
which “similarly significantly affects the natural person” (Article 35(3)(a))

1. Systematic monitoring: processing used to observe, monitor or control data subjects,

including data collected through networks or “a systematic monitoring of a publicly accessible
area” (Article 35(3)(c))

Source - EDPB Guidelines on Data Protection Impact Assessment (DPIA)

4. Sensitive data or data of a highly personal nature: this includes special categories of personal
data as defined in Article 9, as well as personal data relating to criminal convictions or offences as
defined in Article 10.

5. Data processed on a large scale

6. Matching or combining datasets

7. Data concerning vulnerable data subjects (recital 75)

8. Innovative use or applying new technological or organisational solutions, The GDPR makes it
clear (Article 35(1) and recitals 89 and 91) that the use of a new technology, defined in “accordance
with the achieved state of technological knowledge” (recital 91), can trigger the need to carry out a
DPIA.

Source - EDPB Guidelines on Data Protection Impact Assessment (DPIA)

 Examples where a DPIA is required
● A bank screening its customers against a credit reference
database;
● a hospital about to implement a new health information
database with patients’ health data;
● a bus operator about to implement on-board cameras to
monitor drivers’ and passengers’ behaviour.

Source - https://ec.europa.eu/
Source - EDPB Guidelines
on Data Protection Impact
Assessment (DPIA)
Source - EDPB Guidelines on Data Protection Impact
Assessment (DPIA)
 Sometimes, you just HAVE to - Art 35(3)
A DPIA must always be conducted when the processing could result in a high risk
to the rights and freedoms of natural persons

Assessment must be carried out in some circumstances. Art. 35(3) of the GDPR
mandate:
a. a systematic and extensive evaluation of personal aspects relating to natural
persons which is based on automated processing, including profiling, and on
which decisions are based that produce legal effects concerning the natural
person or similarly significantly affect the natural person;
b. processing on a large scale of special categories of data referred to in Article
9(1), or of personal data relating to criminal convictions and offences referred
to in Article 10; or
c. a systematic monitoring of a publicly accessible area on a large scale.
If only
someone had
done a DPIA….
 Important elements of a DPIA
Describing the information flows -

- identify how it is intended to collect, store, use and delete personal information as part of the
project.
- also identify what kinds of information will be used as part of the project and who will have
access to the information.

Identifying the risks associated with data protection -

- examining the project design to assess what data protection issues arise in the project,
- to identify any risks it may expose individuals to, as well as any data protection-related risks that
the project might create for your organisation
 Important elements of a DPIA
Document Proper Consultation -

- data controllers are required to consult with consumers on their views about the new project.
- consult with your Data Protection Officer, data processors, or information security experts to
understand the full implications and risks of the project.

Identify and Evaluate Data Protection Risks -

- Potential threats to privacy and data security must be considered and listed
 Article 35(7) - What must it contain?

a. Description of processing operations and the purposes of the processing,

including, where applicable, the legitimate interest pursued by the controller;
b. Assessment of the necessity and proportionality of the processing operations
in relation to the purposes;
c. an assessment of the risks to the rights and freedoms of data subjects
referred to in paragraph 1; and
d. the measures planned to address the risks, including safeguards, security
measures and other mechanisms
 ICO’s Checklist for a DPIA
● confirmed whether the DPIA is a review of pre-GDPR processing or covers
intended processing, including timelines in either case;

● explained why we needed a DPIA, detailing the types of intended processing

that made it a requirement;

● set out clearly the relationships between controllers, processors, data

subjects and systems, using both text and data-flow diagrams where
appropriate;

● ensured that the specifics of any flows of personal data between people,
systems, organisations and countries have been clearly explained and
presented;
Source - https://ico.org.uk/
 Checklist for a DPIA
● explicitly stated how we are complying with each of the Data Protection
Principles under GDPR and clearly explained our lawful basis for processing
(and special category conditions if relevant);

● identified all relevant risks to individuals’ rights and freedoms, assessed their
likelihood and severity, and detailed all relevant mitigations;

● given details of stakeholder consultation (e.g. data subjects, representative

bodies) and included summaries of findings;

● evidenced our consideration of any less risky alternatives to achieving the

same purposes of the processing, and why we didn’t choose them;
Source - https://ico.org.uk/
What does a DPIA
form actually look
like?
Source -
Privacypolicies.c
om