In some cases, carrying out a DPIA is mandatory but in other cases a DPIA can be used as a best practice tool to identify any potential compliance gaps and help meet your accountability obligations under the GDPR. We previously discussed DPIAs before the GDPR came into force. In this article, we take a second look at when a DPIA is required and provide some practical tips you should consider when carrying out this crucial compliance exercise.
If you want to see an overview of the national DPIA "blacklists" (discussed below), read our table summary.
There are three sources to consider when determining whether you need to carry out a DPIA: the GDPR itself, guidance from the European Data Protection Board ("EDPB") and the so-called national DPIA "blacklists". We'll take a look at each in turn.
When is a DPIA required?
Article 35 of the GDPR
- systematic and extensive evaluation of personal aspects of individuals, including profiling, that have a legal effect or similarly significant effect,
- processing of special categories of personal data or criminal record data on a large scale, and
- systematic public monitoring on a large scale.
Some of the EDPB criteria focus on the type or nature of the data and individuals involved: these include "data processing on a large scale", the processing of "sensitive data or data of a highly personal nature" and "data concerning vulnerable data subjects". Other criteria focus on how the data is processed and the methodologies used: these include processing that involves the "systematic monitoring" of individuals, "matching or combining data sets", "evaluation or scoring" or the use of "new or innovative technological or organisational solutions". The final two EDPB criteria consider the potential impact to individuals, including if the processing leads to "automatic decision-making" (as per Article 22 of the GDPR) or otherwise "prevents data subjects from exercising a right or using a service or contract".
According to the guidelines, a DPIA will generally only be required where two or more of the EDPB criteria apply but in some cases a DPIA will be required where only one criterion applies. The EDPB gives particular focus to new technologies (this is also specifically called out in the recitals of the GDPR).
You'll need to think about how the EDPB criteria apply in the context of your processing activity, taking into account what data you are processing, the types of individuals concerned, the methodologies and technologies involved and the potential outcomes and impact on individuals. For example, a medical company that uses health information to build profiles of patients will likely need to conduct a DPIA as it is processing sensitive data and using that data to evaluate or profile individuals (and potentially using innovative technology to do so). Equally, a manufacturer of a connected toy that collects children's data would also need to carry out a DPIA because it is using new and innovative technology and processing information about vulnerable data subjects (and potentially monitoring children's behaviour as well).
The EDPB's guidelines may give you a good idea of whether you'll need to carry out a DPIA or not, but they aren't the only guidance you should consider.
National DPIA "blacklists"
So far, 22 such blacklists have been published. We have reviewed them and summarized the most common triggers or scenarios that feature – see our table summarizing the national blacklists.
The blacklists vary quite a lot in their approach. Some set out specific scenarios where a DPIA will be required whereas others identify broader criteria along the same lines as the EDPB's guidelines. Our table categorizes the scenarios according to broad headings and naturally there are differences as to how each is described or interpreted by the blacklists. Ultimately, the table provides a high-level view of the main risks identified by the supervisory authorities and you'll need to investigate local requirements more closely to determine whether they apply in your case.
It's also worth mentioning that a few supervisory authorities have published a list of processing activities that do not require a DPIA – so-called national DPIA "whitelists". These lists are permitted by Article 35(5) of the GDPR but are not mandatory, so it's perhaps unsurprising only a few whitelists have been published to date (by Austria, Belgium, France, Spain and the Czech Republic, in draft or final form).
How should I complete a DPIA?
So you've concluded that you need to carry out a DPIA. But how do you go about doing it?
The GDPR doesn't prescribe exactly how you should complete a DPIA, but Article 35(7) does say that it should include at a minimum:
- a description of the processing operation (including the purpose for the processing and, if relevant, the legitimate interests pursued),
- an assessment of the necessity and proportionality of processing,
- an assessment of risks to rights of data subjects (including both risks to privacy and data protection rights as well as other fundamental rights), and
- what mitigating measures can be taken to reduce the risks.
The EDPB's guidelines provide further analysis on the requirements for DPIAs (including when consultation with supervisory authorities may be necessary and when a controller should consider publishing their DPIA), and include a list of DPIA frameworks. A number of supervisory authorities, including the UK ICO, have also published templates that can be used or adapted according to your needs.
One thing to think about is that completing a DPIA can be an involved exercise, so you could consider preparing a short form assessment for the business and product teams and which will help identify whether a full DPIA is required – this could touch on some of those scenarios from the EDPB criteria and national blacklists. Ultimately, the GDPR does not prescribe how you approach DPIAs and you can develop a process that is suitable for the size of your organization and the processing you carry out.
Lastly, don't forget that a DPIA should be a living document so you'll need to revisit it on a regular basis to ensure it is accurate and up to date – especially if any aspect of the processing changes.
If you follow these steps, you should hopefully be ready the next time your DPO asks whether you've thought about a DPIA!
With many thanks to Simone Bloem for her help in preparing this article and the corresponding table.
Sign up to our email digest
Click to subscribe or manage your email preferences.