Data Protection Impact Assessments – What, When and How? (Reloaded)

You've just finished presenting an exciting new product idea to your team when your DPO asks whether you've thought about completing a DPIA. Your DPO is, of course, referring to a Data Protection Impact Assessment. This is something that must be completed whenever an activity involving the processing of personal data is likely to result in a "high risk" to individuals, as required under Article 35(1) of the General Data Protection Regulation ("GDPR"). Essentially, a DPIA is a process whereby a data controller can systematically identify and minimise the risks of a specific processing activity.

In some cases, carrying out a DPIA is mandatory but in other cases a DPIA can be used as a best practice tool to identify any potential compliance gaps and help meet your accountability obligations under the GDPR. We previously discussed DPIAs before the GDPR came into force. In this article, we take a second look at when a DPIA is required and provide some practical tips you should consider when carrying out this crucial compliance exercise.

If you want to see an overview of the national DPIA "blacklists" (discussed below), read our table summary.

When is a DPIA required?

There are three sources to consider when determining whether you need to carry out a DPIA: the GDPR itself, guidance from the European Data Protection Board ("EDPB") and the so-called national DPIA "blacklists". We'll take a look at each in turn.
 

1. Article 35 of the GDPR

The GDPR itself doesn’t define "high risk" processing but Article 35(3) does set out three scenarios which automatically trigger the need for a DPIA. These are:

1. systematic and extensive evaluation of personal aspects of individuals, including profiling, that have a legal effect or similarly significant effect,
2. processing of special categories of personal data or criminal record data on a large scale, and
3. systematic public monitoring on a large scale.

These scenarios are quite narrow, so assuming they don't apply in your case you'll need to consider other guidance on the topic.
 

2. EDPB criteria

Fortunately, the EDPB has published guidelines on determining whether processing is likely to result in a "high risk" under the GDPR (WP 248 rev.01). These include nine criteria that should be considered (the "EDPB criteria").

Some of the EDPB criteria focus on the type or nature of the data and individuals involved: these include "data processing on a large scale", the processing of "sensitive data or data of a highly personal nature" and "data concerning vulnerable data subjects". Other criteria focus on how the data is processed and the methodologies used: these include processing that involves the "systematic monitoring" of individuals, "matching or combining data sets", "evaluation or scoring" or the use of "new or innovative technological or organisational solutions". The final two EDPB criteria consider the potential impact to individuals, including if the processing leads to "automatic decision-making" (as per Article 22 of the GDPR) or otherwise "prevents data subjects from exercising a right or using a service or contract".
 
According to the guidelines, a DPIA will generally only be required where two or more of the EDPB criteria apply but in some cases a DPIA will be required where only one criterion applies. The EDPB gives particular focus to new technologies (this is also specifically called out in the recitals of the GDPR).
 
You'll need to think about how the EDPB criteria apply in the context of your processing activity, taking into account what data you are processing, the types of individuals concerned, the methodologies and technologies involved and the potential outcomes and impact on individuals. For example, a medical company that uses health information to build profiles of patients will likely need to conduct a DPIA as it is processing sensitive data and using that data to evaluate or profile individuals (and potentially using innovative technology to do so). Equally, a manufacturer of a connected toy that collects children's data would also need to carry out a DPIA because it is using new and innovative technology and processing information about vulnerable data subjects (and potentially monitoring children's behaviour as well).
 
The EDPB's guidelines may give you a good idea of whether you'll need to carry out a DPIA or not, but they aren't the only guidance you should consider.
 

3. National DPIA "blacklists"

In addition to the EDPB criteria, you may also need to consult one or more of the so-called national DPIA "blacklists". These are lists that the supervisory authorities of the various EU Member States are required to publish under Article 35(4) of the GDPR and which set out when a DPIA is required for processing activities that they supervise.
 
So far, 22 such blacklists have been published. We have reviewed them and summarized the most common triggers or scenarios that feature – see our table summarizing the national blacklists.

The blacklists vary quite a lot in their approach. Some set out specific scenarios where a DPIA will be required whereas others identify broader criteria along the same lines as the EDPB's guidelines. Our table categorizes the scenarios according to broad headings and naturally there are differences as to how each is described or interpreted by the blacklists. Ultimately, the table provides a high-level view of the main risks identified by the supervisory authorities and you'll need to investigate local requirements more closely to determine whether they apply in your case.

It's also worth mentioning that a few supervisory authorities have published a list of processing activities that do not require a DPIA – so-called national DPIA "whitelists". These lists are permitted by Article 35(5) of the GDPR but are not mandatory, so it's perhaps unsurprising only a few whitelists have been published to date (by Austria, Belgium, France, Spain and the Czech Republic, in draft or final form).
 

How should I complete a DPIA?

So you've concluded that you need to carry out a DPIA. But how do you go about doing it?
The GDPR doesn't prescribe exactly how you should complete a DPIA, but Article 35(7) does say that it should include at a minimum:

1. a description of the processing operation (including the purpose for the processing and, if relevant, the legitimate interests pursued),
2. an assessment of the necessity and proportionality of processing,
3. an assessment of risks to rights of data subjects (including both risks to privacy and data protection rights as well as other fundamental rights), and
4. what mitigating measures can be taken to reduce the risks.

So the first (and probably most obvious) thing you'll need to provide is a comprehensive description of the processing in question. For this, you'll need a good understanding of the product or processing activity, which may require the input and involvement of the relevant department or product team. Once you have the relevant facts and can give this description, you can move on to the analysis. For the risk assessment, this should cover topics such as your lawful grounds for processing (including, if relevant, the legitimate interests pursued), how individuals will be provided with notice and choice, who else is involved in the processing (including sources and recipients of the data), and whether any other specific obligations may apply (for instance, if the processing involves the use of cookies, direct or automatic decision making). Finally, your DPIA should identify what steps or measures can be taken to reduce the risks you've identified (and explain how these measures should be carried out).

The EDPB's guidelines provide further analysis on the requirements for DPIAs (including when consultation with supervisory authorities may be necessary and when a controller should consider publishing their DPIA), and include a list of DPIA frameworks.  A number of supervisory authorities, including the UK ICO, have also published templates that can be used or adapted according to your needs.

One thing to think about is that completing a DPIA can be an involved exercise, so you could consider preparing a short form assessment for the business and product teams and which will help identify whether a full DPIA is required – this could touch on some of those scenarios from the EDPB criteria and national blacklists. Ultimately, the GDPR does not prescribe how you approach DPIAs and you can develop a process that is suitable for the size of your organization and the processing you carry out.

Lastly, don't forget that a DPIA should be a living document so you'll need to revisit it on a regular basis to ensure it is accurate and up to date – especially if any aspect of the processing changes.

If you follow these steps, you should hopefully be ready the next time your DPO asks whether you've thought about a DPIA!

With many thanks to Simone Bloem for her help in preparing this article and the corresponding table.