The General Data Protection Regulation (or “GDPR”), which is in force, continues to be a hot topic for companies and organizations. The question that often comes up is how does one implement and assess the principles and rules of the GDPR concretely.
The DPIA under the GDPR is a particularly interesting tool if you intend to use new technologies or to launch in-depth projects in which you will process a lot of personal data. The DPIA enables you to produce a more tangible assessment of the data processing operations that take place in your company or organization. In this newsletter, we discuss the role that DPIA plays in enabling your company or organization to be GDPR-compliant.
1. The importance of a DPIA for your company or organization
In practice, many companies and organizations ask themselves the question which activities they carry out must be GDPR-compliant, especially when they wish to implement new technologies or new data-processing-intensive projects. The GDPR does not give a clear answer to this issue, since it usually does not impose any quantifiable obligations and GDPR compliance is a continuous process.
For companies and organizations, implementing a DPIA helps to make tangible some of the GDPR obligations that are sometimes perceived to be strict. After all, a DPIA enables you to identify the number of risks and to implement measures to mitigate those risks. In this way, you create a to-do list that enables you to work towards achieving GDPR compliance for a specific project or technology. Implementing a DPIA can therefore be a useful tool as well for your company or organization to evaluate the current state of affairs.
What is important is that the DPIA, although it is mandatory in certain scenarios, can often be more than just a serious and formal obligation for your company or organization. Besides making your GDPR obligations more tangible, implementing a DPIA can also enable you to build trust with those concerned and your stakeholders. In implementing a DPIA, you show that your company or organization is identifying the relevant risks and that you are taking the necessary measures to manage them. Moreover, implementing a DPIA and, more generally, being GDPR-compliant, can also given you a competitive advantage. Privacy-aware clients, which are growing in numbers, will look for solutions and for suppliers that process personal data in a conforming way. Consequently, clients could turn away from your competitors because you can prove that you can ensure the security of their personal data in a better way.
2. What is a DPIA?
A DPIA is a process that aims to identify the risks of your data processing operations and to assess those risks according to the measures that your company or organization adopts to mitigate those risks. In a DPIA, you carry out the following before you start the intended data processing operation:
- You describe in detail the intended data processing operation or operations;
- You evaluate the necessity and proportionality of the data processing operation or operations and the associated risks they have on the rights and freedoms of natural persons;
- You assess the risks to the rights and freedoms of individuals;
- You determine the measures that you will take to mitigate the inherent risks, and you conclude whether there is any residual risk.
The GDPR does not require that the data controller carry out a DPIA for every processing of personal data. In principle, a DPIA is mandatory if a type of processing, in terms of its nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedom of natural persons.
The DPIA is part of the accountability obligation under the GDPR. That is, by conducting one, you can demonstrate that your company or organization complies with the provisions of the GDPR.
3. When is a DPIA required?
Earlier, we said that if you are a data controller, you must conduct a DPIA if a certain processing operation is likely to result in a high risk to the rights and freedoms of natural persons. Ultimately, you’ll ask the question: How do I know what is “high risk” processing?
To answer this question, the following rules are important: first, the GDPR itself, through the former Article 29 Working Party (of “WP 29”), clarifies this to a significant extent.
To facilitate the effect of this regulation, the predecessor of the Belgian Data Protection Authority (or “DPA”), i.e., the Privacy Commission, and the Flemish Supervisory Committee (or “VTC” in Dutch for Vlaamse Toezichtcommissie) laid down several specific guidelines that help to determine when a processing activity, in any event, must be preceded by a DPIA.
The GDPR mentions some situations in which a DPIA is mandatory:
- “a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- “processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences; of
- “a systematic monitoring of a publicly accessible area on a large scale.”
WP29 indicates that the abovementioned situations, which are even cited in the GDPR, should certainly not be interpreted as an exhaustive list. In some scenarios, it is clear that there will be a high risk to the security of personal data. If this is not the case, however, and if there is any doubt about it, WP29 suggests nine criteria that can help in assessing what is likely to result in a high risk.
If the intended processing operation relates to or has an effect on:
- Evaluating, scoring, profiling and predicting of the data subjects’ behaviour;
- An automated-decision making with legal or similar significant effects on a person;
- Systematic monitoring of data subjects;
- Sensitive data;
- Data processed on a large scale;
- Matching or combining datasets;
- Data concerning vulnerable data subjects;
- New technologies;
- Preventing or not preventing data subjects from exercising a right relating to his or her personal data.
WP29 states that if the processing operation meets at least two of the above criteria, then the operation is likely to result in a high risk and a DPIA must be carried out beforehand.
The Privacy Commission / DPA
The predecessor of the DPA drew up a similar list in its recommendation of 28 February 2018. It produced a blacklist as well as a whitelist of processing operations that require a DPIA and those that do not require one, respectively. These two lists are also not exhaustive at all.
The blacklist mentions eight types of risky processing operations that are clearly extracted from the abovementioned nine criteria that were drew up by WP29. What is important is that special attention must always be given to processing that relate to special categories of personal data, such as: biometric data, health data, personal data on criminal convictions and offences, large-scale processing operations, and processing operations in which new technologies are used.
The whitelist consists of nine descriptions of processing operations that clearly result in a reduced inherent risk for which the DPA’s predecessor did not, in principle, consider them to require having a DPIA beforehand. This list includes processing operations that are:
- carried out by private companies as part of one of their obligations under law;
- intended solely for payroll administration;
- aimed solely at personnel administration;
- intended solely to produce proper bookkeeping;
- carried out solely in relation to the administration of shareholders and directors;
- carried out by foundations, associations, or other not-for-profit entities and the processing relates to their members or partnerships;
- carried out solely for the registration of visitors;
- carried out by educational institutions with the view to managing their relationships with students or learners as part of their educational purpose;
- carried out only in relation to the management of clients or suppliers.
In no way is the processing allowed to exceed what is strictly necessary for the described purposes, and it may never concern special categories of personal data, or the processing must not take longer than necessary to achieve the purpose.
The DPA’s predecessor mentions in both the blacklist and whitelist the fact that just because a processing operation is mentioned on one of the lists does not discharge the data controller from its obligation to assess and manage the risks associated with it.
Finally, the VTC gave its input on 14 January 2020 by including a list of processing operations that are carried out by administrative bodies. For these types of processing, a DPIA must be conducted beforehand. The lists including the blacklist are divided according to categories of personal data, categories of persons, the effects of the processing, and the processing method.
The VTC did not draw up a white list.
In conclusion, the interpretation of what is likely to result in a high risk must always be made case by case. The abovementioned scenarios offer some clarity, and legal doctrine and case-law on it have also clarified some uncertainties. We are following up on the guidelines and clarifications attentively.
If you have questions about DPIAs or privacy and data protection, please contact our Privacy & Data Protection team.
Authors: Kristof Zadora, Dylan Verhulst & Alexander Broux