The Belgian Data Protection Authority (the "Privacy Commission") has launched a public consultation about its draft recommendation regarding data protection impact assessments ("DPIA").
The purpose of the Privacy Commission's recommendation is to provide companies with answers to practical questions raised by DPIAs. Note that the Article 29 Working Party (WP29) will also publish a recommendation regarding DPIAs in the coming months whose elements will be integrated in the final version of the Privacy Commission's recommendation.
Stakeholders are invited to submit their comments before 28 February 2017 at firstname.lastname@example.org.
In its draft recommendation, the Privacy Commission sets out the following requirements that must be met in order to accomplish a DPIA that is compliant with the requirements of article 35(7) of the GDPR:
- a systematic description of the envisaged processing operations and the purposes of the processing;
- an assessment of the necessity and proportionality of the processing;
- an assessment of the risks;
- the measures envisaged to address the risks.
A systematic description of the envisaged processing operations and the purposes of the processing
The purposes as well as the processing have to be described in a complete, coherent and clear way. This means that general purposes such as "enhancing users' experience" or "IT security" should be avoided. According to the Privacy Commission, this description has to be drafted in the light of the obligation to keep a record of the processing activities also found in the GDPR.
In addition to the description of the processing activities and the purposes, the DPIA should also cover:
- the categories of data subjects;
- the categories of data recipients including recipients outside the EU;
- data transfers to organisation or countries outside the EU including the document providing adequate safeguards;
- the retention period for each category of data, if feasible.
An assessment of the necessity and proportionality of the processing
The DPIA has to assess the proportionality and necessity of the processing activity by specifying the reasons why the processing is necessary in itself and why each processing activity is necessary in light of its purpose. If the purpose of processing activity can be achieved in different ways, the Privacy Commission expects the data controller to choose the least privacy-intrusive one. Moreover, the efficiency of the processing has to be assessed.
An assessment of the risks
The Privacy Commission defines risk as 'the probability that a treat arise and would create a specific impact'.
According to ISO Guide 73:2009, referred to by the Privacy Commission, a risk assessment is the overall process of risk identification, risk analysis and risk evaluation. Where 'risk identification' refers to the process of finding, recognizing and describing risks, 'risk analysis' refers to the process of understanding the nature of the risks and determining the level of risk. Finally, 'risk evaluation' refers to process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable.
When performing a risk assessment, the controller must differentiate between the inherent risk that can be circumscribed and the residual risk that cannot be avoided.
The risks to assess are the high risks to the rights and freedoms of natural persons. According to the WP29, the rights and freedoms of natural persons include the right of privacy as well as other risks to fundamental rights and freedoms established by other legal documents.
Recital 75 of the GDPR refers to specific processing that could create a risk stating among others a processing activity that can lead to discriminations, sensitive personal data processing or minor's data processing.
Following Recital 76 of the GDPR, the risks assessment has to be a fact-based analysis that assesses the risks in the context of each specific processing.
The data controller is free to choose a methodology to assess the risks, as long as it is objective and safeguards the confidentiality of data. In this context, the Privacy Commission has detailed the minimum requirements of a DPIA in an annex to its guidance. Such requirements include the fact that it must be carried out on the basis of a methodology, in a structured and understandable manner, tailor-made to the specific context and under management supervision. The Privacy Commission recommends using pre-existing proven methodologies instead of creating new ones each time.
The measures envisaged to address the risks.
Furthermore, the DPIA should not only assess the risks but must also explain the risk mitigation measures such as security measures, compliance measures or data safeguard measures.
When is a DPIA required?
As per article 35 of the GDPR, a DPIA is only required when the processing could create high risks to the rights and freedoms of data subjects. According to the Privacy Commission a "high risks processing" has to be understood as a processing activity that is likely to have significant adverse consequences to the rights and freedoms of data subjects if such data were not correctly processed. This only concerns inherent risks, not residual risks.
Article 35(3) of the GDPR establishes when a DPIA is mandatory no matter the risks the processing activity may create (e.g. in case of 'profiling' or the processing on a large scale of sensitive data).
In accordance with article 35 (4) and (5) of the GDPR, the Privacy Commission has also adopted both a white list of processing activities for which no DPIA is needed (Annex 3) and a black list of processing activities that always require a DPIA (Annex 2).
Unsurprisingly, the black list (annex 2) covers processing of biometric data, genetic data and data that allows the profiling of data subjects. However, it also covers other types of processing activities such as:
- data collected via third party that could lead to a refusal or a termination of the services;
- data that could compromise the physical health of data subjects in case of a data breach;
- the processing of financial or sensitive data for secondary purposes for processing that is not based on consent or a legal obligation;
- data that are publicly disclosed.
The white list (Annex 3) covers notably the following data processing activities:
- payroll administration;
- staff management when no health data, sensitive data or data related to criminal offenses are processed;
- accounting purposes;
- shareholders and associates management;
- visitors access control.
Sign up to our email digest