The EDPB's 9 Criteria for DPIAs

When do you need to carry out a DPIA?

This blog focusses on the EU GDPR and, in particular, the EDPB Guidelines’ famous 9 Criteria to consider under EU GDPR when deciding whether a DPIA is required. And we’ve a great infographic for you to download and keep as a cheat sheet!

We’ve another blog, and infographic, on the EDPB’s 9 Worked Examples to illustrate their criteria.

And these EDPB Guidelines are very relevant to UK GDPR – they’re even expressly incorporated into the UK ICO’s guidance on when to do a DPIA. (As you’ll see in our blog on UK GDPR and the UK ICO’s own 10 DPIA Criteria.)

Let’s start first with the DPIA Test in EU GDPR.

GDPR’s DPIA Test

DPIAs can always be carried out voluntarily. They’re a great way to set out your thinking, help with planning, ensure efficiencies, head off issues, manage risks and expand rewards. Pretty good!

But they also need to be done, under Art 35 of both EU and UK GDPR, if your processing ‘is likely to result in a high risk to the rights and freedoms of natural persons‘.

3 examples in GDPR itself

Your starting point in deciding whether to carry out a DPIA is Art 35(3) of both EU and UK GDPR. This sets out 3 examples when a DPIA is required:

1. a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person,
2. processing on a large scale of special categories of data (Art 9) or personal data relating to criminal convictions and offences referred (Art 10), or
3. a systematic monitoring of a publicly accessible area on a large scale.

This is a non-exhaustive list. The test is still whether or not your processing ‘is likely to result in a high risk to the rights and freedoms of natural persons‘. How to tell?

Enter the EDPB Guidelines.

The EDPB Guidelines

The EDPB endorsed the Art 29 WP’s Guidelines on DPIAs (formally the Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, WP 248 rev.01, last revised and adopted on 4 October 2017.

As you can see, the Guidelines were created after GDPR went on the statute books and before it became applicable and were specifically created for GDPR.

The EDPB’s 9 Criteria on DPIAs

The Guidelines set out 9 Criteria to expand on the test in GDPR itself, and to help decide if a DPIA is needed. They also give 3 tips on how to apply the 9 Criteria:

• ‘In most cases, a data controller can consider that a processing meeting two criteria would require a DPIA to be carried out.’
• ‘In general, the [EDPB] considers that the more criteria are met by the processing, the more likely it is to present a high risk to the rights and freedoms of data subjects, and
  therefore to require a DPIA, regardless of the measures which the controller envisages to adopt.’
• ‘However, in some cases, a data controller can consider that a processing meeting only one of these criteria requires a DPIA.’

We highly recommend you read the relevant pages on these criteria in the Guidelines though, in the meantime, here’s a summary!

The EDPB’s 9 DPIA Criteria Keepabl Infographic

Criteria #1: Evaluation or scoring

This includes profiling and predicting, especially from “aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements”.

Examples

A financial institution screens customers against a credit reference database or against an AML / CTF database. A biotech company offers genetic tests directly to consumers to assess and predict disease / health risks. A company builds behavioural or marketing profiles based on usage or navigation on its website.

Criteria #2: ADM + legal or similar effect

Automated-decision making with legal or similar significant effect: processing that aims at taking decisions on data subjects producing “legal effects concerning the natural person” or which “similarly significantly affects the natural person”.

Examples

Processing that may lead to exclusion or discrimination against individuals.

Criteria #3: Systematic monitoring

Processing to observe, monitor or control data subjects, including data collected through networks or “a systematic monitoring of a publicly accessible area”. Data subjects may not be aware of who is collecting their data and how they will be used. May be impossible for individuals to avoid being subject to such processing in public (or publicly accessible) space(s).

Public (or publicly accessible) space(s)

Any place open to any member of the public, such as a piazza, a shopping centre, a street, a market place, a train station or a public library.

Criteria #4: Sensitive or highly personal data

Includes special categories (Art 9), personal data relating to criminal convictions or offences (Art 10), and personal data increasing possible risk to individuals, ‘sensitive’ as commonly understood. The fact that personal data is publicly available may be a factor if it was expected to be further used for certain purposes.

Examples

A general hospital keeps patients’ medical records. A private investigator keeps offenders’ details. Electronic communications whose confidentiality should be protected. Location data whose collection questions the freedom of movement. Financial data that might be used for payment fraud.

Criteria #5: Large scale

GDPR does not define ‘large-scale’, though recital 91 provides some guidance. The following factors, in particular, should be considered:

• the number of data subjects concerned, either as a specific number or as a proportion of the relevant population,
• the volume of data and/or the range of different data items being processed,
• the duration, or permanence, of the data processing activity, and
• the geographical extent of the processing activity.

Criteria #6: Matching or combining datasets

Matching or combining datasets originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject.

Criteria #7: Vulnerable data subjects

Processing of this type of data is a criterion because of the increased power imbalance between the data subjects and the controller: individuals may be unable to easily consent to, or oppose, the processing of their data, or exercise their rights.

Examples of vulnerable data subjects

Children, employees, more vulnerable segments of the population requiring special protection (mentally ill persons, asylum seekers, or the elderly, patients, etc), and any case where an imbalance in the relationship between the position of the data subject and the controller can be identified.

Criteria #8: Innovation & new technology

Innovative use or applying new technological or organisational solutions. Use of a new technology, defined in “accordance with the achieved state of technological knowledge”, can involve novel forms of data collection and usage, possibly with a high risk to individuals’ rights and freedoms. The personal and social consequences of the deployment of a new technology may be unknown.

Examples of vulnerable data subjects

Combining use of finger print and face recognition for improved physical access control.Certain “Internet of Things” applications could have a significant impact on individuals’ daily lives and privacy.

Criteria #9: Prevent rights or use of service

The processing in itself “prevents data subjects from exercising a right or using a service or a contract” (Art 22 and recital 91). Includes processing aimed at allowing, modifying or refusing data subjects’ access to a service or entry into a contract.

Example

A bank screens its customers against a credit reference database in order to decide whether to offer them a loan.

Assessments made easy – in Keepabl

You can always carry out your assessment outside of Keepabl in Word, a GDoc or however you like to do them, and then upload or link to that assessment in Keepabl and we’ll report on it. But you can make life easier by carrying out the assessment in Keepabl, in our Assessments solution!

Book your demo now and see how easy we make template management, building your own templates, switching between templates without messing up your records, bringing in Contributors (and kicking them off), freezing the assessment for signature, and our own, intuitive, audited signature process.