When introducing new data processing techniques and technologies that pose high privacy risk, GDPR will require your company to conduct data protection impact assessment. This privacy impact assessment operation should establish whether to go ahead with the planned operations and under what conditions.
According to GDPR, »where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.«
What technologies constitute high privacy risk?
Regardless of specific technology use, the following activities would in particular trigger the need for a data protection impact assessment:
– systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
– processing on a large scale of sensitive personal data i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, or of personal data relating to criminal convictions and offences; or
– systematic monitoring of a publicly accessible area on a large scale – such as by means of surveillance cameras.
From technology perspective, the usual suspects for high privacy risk are technologies that constitute a certain type of ‘monitoring’. The most obvious examples are cameras and other sensors attached to IoT (Internet of Things) devices. When it comes to profiling, Big Data analytics could be especially intrusive. Supervisory authorities in Member States are expected to maintain a list of data processing operations that would automatically trigger the need for a privacy impact assessment.
Who should conduct data protection impact assessment?
According to the GDPR, when carrying out the data protection impact assessment, the company shall seek the advice of the Data Protection Officer, where designated. However, it is crucial for all the relevant departments to participate, and the exercise needs to be well understood and supported by the top management, to whom the Data Protection Officer must directly report.
Typically, the IT department needs to asses, in close collaboration with the Data Protection Officer, the security and specifically privacy risks of using certain software and hardware. Marketing, sales, or HR would need to be closely involved if the data their department is in charge are processed, plus if they are determining the purpose and scope of processing.
Typically, the IT department will need to asses, in close collaboration with the Data Protection Officer, the security and specifically privacy risks of using certain software and hardware. Marketing, sales, or HR would need to be closely involved if the data their department is in charge of are processed, plus if they are determining the purpose and scope of the processing.
It is crucial for any successful data protection impact assessment exercise to overcome the silo approach of the company. This can only be achieved if the CEO and the board take it seriously. The incentives for them to do so are clearly present: the GDPR introduces penalties for non-compliance up to 4% of the company’s global annual turnover.
What does the data protection impact assessment comprise?
As a minimum, the following components of the data protection impact assessment are required according to the GDPR:
- a systematic description of the envisaged data processing operations and the purposes of the processing, including, where applicable, the legitimate interest in the data processing operation pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the data processing purposes;
- an assessment of the risks to the rights and freedoms of data subjects; and
- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned.
What happens after the data protection impact assessment?
The privacy impact assessment may establish acceptable risks to individuals’ rights. However, the controller must consult its national supervisory authority prior to the new type of processing where the data protection impact assessment has indicated that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. The authority may require amendments to the processing activities in order to address such risk.
