When do you need to carry out a DPIA?
This blog focusses on the EU GDPR and, in particular, the EDPB Guidelines’ famous 9 Criteria to consider under EU GDPR when deciding whether a DPIA is required. And we’ve a great infographic for you to download and keep as a cheat sheet!
We’ve another blog, and infographic, on the EDPB’s 9 Worked Examples to illustrate their criteria.
And these EDPB Guidelines are very relevant to UK GDPR – they’re even expressly incorporated into the UK ICO’s guidance on when to do a DPIA. (As you’ll see in our blog on UK GDPR and the UK ICO’s own 10 DPIA Criteria.)
Let’s start first with the DPIA Test in EU GDPR.
DPIAs can always be carried out voluntarily. They’re a great way to set out your thinking, help with planning, ensure efficiencies, head off issues, manage risks and expand rewards. Pretty good!
But they also need to be done, under Art 35 of both EU and UK GDPR, if your processing ‘is likely to result in a high risk to the rights and freedoms of natural persons‘.
Your starting point in deciding whether to carry out a DPIA is Art 35(3) of both EU and UK GDPR. This sets out 3 examples when a DPIA is required:
This is a non-exhaustive list. The test is still whether or not your processing ‘is likely to result in a high risk to the rights and freedoms of natural persons‘. How to tell?
Enter the EDPB Guidelines.
The EDPB endorsed the Art 29 WP’s Guidelines on DPIAs (formally the Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, WP 248 rev.01, last revised and adopted on 4 October 2017.
As you can see, the Guidelines were created after GDPR went on the statute books and before it became applicable and were specifically created for GDPR.
The Guidelines set out 9 Criteria to expand on the test in GDPR itself, and to help decide if a DPIA is needed. They also give 3 tips on how to apply the 9 Criteria:
We highly recommend you read the relevant pages on these criteria in the Guidelines though, in the meantime, here’s a summary!
The EDPB’s 9 DPIA Criteria Keepabl Infographic
This includes profiling and predicting, especially from “aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements”.
A financial institution screens customers against a credit reference database or against an AML / CTF database. A biotech company offers genetic tests directly to consumers to assess and predict disease / health risks. A company builds behavioural or marketing profiles based on usage or navigation on its website.
Automated-decision making with legal or similar significant effect: processing that aims at taking decisions on data subjects producing “legal effects concerning the natural person” or which “similarly significantly affects the natural person”.
Processing that may lead to exclusion or discrimination against individuals.
Processing to observe, monitor or control data subjects, including data collected through networks or “a systematic monitoring of a publicly accessible area”. Data subjects may not be aware of who is collecting their data and how they will be used. May be impossible for individuals to avoid being subject to such processing in public (or publicly accessible) space(s).
Any place open to any member of the public, such as a piazza, a shopping centre, a street, a market place, a train station or a public library.
Includes special categories (Art 9), personal data relating to criminal convictions or offences (Art 10), and personal data increasing possible risk to individuals, ‘sensitive’ as commonly understood. The fact that personal data is publicly available may be a factor if it was expected to be further used for certain purposes.
A general hospital keeps patients’ medical records. A private investigator keeps offenders’ details. Electronic communications whose confidentiality should be protected. Location data whose collection questions the freedom of movement. Financial data that might be used for payment fraud.
GDPR does not define ‘large-scale’, though recital 91 provides some guidance. The following factors, in particular, should be considered:
Matching or combining datasets originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject.
Processing of this type of data is a criterion because of the increased power imbalance between the data subjects and the controller: individuals may be unable to easily consent to, or oppose, the processing of their data, or exercise their rights.
Children, employees, more vulnerable segments of the population requiring special protection (mentally ill persons, asylum seekers, or the elderly, patients, etc), and any case where an imbalance in the relationship between the position of the data subject and the controller can be identified.
Innovative use or applying new technological or organisational solutions. Use of a new technology, defined in “accordance with the achieved state of technological knowledge”, can involve novel forms of data collection and usage, possibly with a high risk to individuals’ rights and freedoms. The personal and social consequences of the deployment of a new technology may be unknown.
Combining use of finger print and face recognition for improved physical access control.Certain “Internet of Things” applications could have a significant impact on individuals’ daily lives and privacy.
The processing in itself “prevents data subjects from exercising a right or using a service or a contract” (Art 22 and recital 91). Includes processing aimed at allowing, modifying or refusing data subjects’ access to a service or entry into a contract.
A bank screens its customers against a credit reference database in order to decide whether to offer them a loan.
You can always carry out your assessment outside of Keepabl in Word, a GDoc or however you like to do them, and then upload or link to that assessment in Keepabl and we’ll report on it. But you can make life easier by carrying out the assessment in Keepabl, in our Assessments solution!
Book your demo now and see how easy we make template management, building your own templates, switching between templates without messing up your records, bringing in Contributors (and kicking them off), freezing the assessment for signature, and our own, intuitive, audited signature process.
This article was first published in Thomson Reuters Regulatory Intelligence on 6 November 2023 and is the personal view of the author, Robert Baugh. Subscribers link. Free trial link. A potentially…
This article was first published in Thomson Reuters Regulatory Intelligence on 20 September 2023 and are the personal views of the author, Robert Baugh. Subscribers link. Free trial link. Biometrics have…