31 Oct 2017

Article 29 Data Protection Working Party GDPR Guidelines on Data Protection Impact Assessments



Article 35 of the General Data Protection Regulation ("GDPR") introduces the concept of a Data Protection Impact Assessment ("DPIA").

A DPIA is the process by which an organisation describes its processing operations, its purposes of the processing of personal data and the measures envisaged to address any risks to data subjects. A DPIA is intended to be a data controller’s assessment of the necessity and proportionality of proposed processing operations balances against the risks to the rights and freedoms of data subjects.

The Article 29 Working Party has published guidelines on DPIAs (the "Guidelines"), following its consultation on a draft version published in April 2017 (as reported in our April bulletin).

Carrying out a DPIA is not mandatory for every processing operation. A DPIA is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons”.

The Guidelines provide that the obligation for controllers to conduct a DPIA in certain circumstances should be understood against the background of their general obligation to appropriately manage risks presented by the processing of personal data.

When is processing likely to result in a high risk?

Article 35(3) of the GDPR provides particular examples of when a DPIA will be required where, when taking into account the nature, scope, context and purposes of the processing, the processing operation is likely to result in high risks to the rights and freedoms of natural persons:

  1. a systematic and extensive evaluation of personal data based on automated processing, including profiling, on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
  2. processing, on a large scale, of special categories of data (concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, or data concerning health or data concerning a natural person’s sex life or sexual orientation) or of personal data relating to criminal convictions and offences; or
  3. a systematic monitoring of a publicly accessible area on a large scale.

The Guidelines clarify that this is a non-exhaustive list and considers certain additional processing operations that pose similarly high risks which it advises should also be subject to DPIAs.

The Guidelines provide nine criteria which should be considered when assessing whether processing operations are likely to result in a high risk to natural persons. The Guidelines suggest that a DPIA will most likely be required where two or more of the following criteria are met, although a large scale processing activity meeting only one of these criteria could still require a DPIA.

Evaluation or scoring, including profiling and predicting - especially from aspects concerning a data subject's performance at work, economic situation, health, reliability or behaviour, location or movements

Examples of this include a financial institution that screens its customers against a credit reference or anti-money laundering database; or a company building behavioural or marketing profiles based on usage or navigation on its website. 
(ii) Automated-decision making with legal or similar significant effect 

The Guidelines consider that processing of this nature may lead to the exclusion of, or discrimination against, individuals while processing with little or no effect on individuals would not meet this criterion. 
(iii) Systematic monitoring - processing used to observe, monitor or control data subjects, including data collected through a systematic monitoring of a publicly accessible area

This could include a company systematically monitoring its employees’ activities, including the monitoring of the employees’ work station and internet activity, and is cited as high risk because the personal data could be collected in circumstances where data subjects may not be aware of who is collecting their data or how it will be used, and they may not be able to avoid being subject to such processing in a public (or publicly accessible) space.  
(iv) Sensitive data or data of a highly personal nature

Examples include a hospital keeping patients’ medical records or a private investigator keeping offenders’ details. 

Data processed on a large scale

The Guidelines recommends the following factors be considered when determining whether the processing is carried out on a large scale:

  • the number of data subjects concerned (as a specific number or a proportion of the relevant population);
  • the volume of data and/or range of different data items being processed;
  • the duration, or permanence, of the data processing activity; and
  • the geographical extent of the processing activity.
(vi) Matching or combining datasets
For example processing information originating from two or more data processing operations performed for different purposes and/or by different data controllers. 
(vii)  Data concerning vulnerable data subjects

The Guidelines cite the following examples of vulnerable data subjects: children, employees, mentally ill persons, asylum seekers, or the elderly, patients and where there is an imbalance in the relationship between the position of the data subject and the controller. 
(viii) Innovative use or applying new technological or organisational solutions

This would include a company using new technology or novel forms of data collection and use (e.g. combining use of finger print and face recognition for improved physical access control).
(ix) When the processing in itself “prevents data subjects from exercising a right or using a service or a contract”

This includes processing operations that aim at allowing, modifying or refusing data subjects’ access to a service or entry into a contract (e.g. a bank screening its customers against a credit reference database in order to decide whether to offer them a loan). 

Notably, international transfers to countries outside the EU has not been included as a specific criterion in the final version of the Guidelines following feedback from the consultation process.   

What about existing processing operations?

A DPIA is not needed for processing operations that have been checked by a supervisory authority (e.g. the ICO) or appropriate data protection official and that are performed in a way that has not changed since the prior assessment.

However, the Guidelines require a DPIA to be carried out for existing operations if they carry a high risk and there has been a change of the risks, taking into account the nature, scope, context and purposes of the processing – such as the use of a new technology.

Carrying out a DPIA 

A DPIA should be carried out prior to the processing and as early as is practicable in the design of the processing operation.

The controller is responsible for ensuring the DPIA is carried out. The controller must seek the advice of the data protection officer (where applicable) and this advice and subsequent decisions should be documented by the controller. The controller must also seek the views of the data subjects where appropriate (e.g. via a generic study, questions to staff representatives or surveys sent to the data controller's future customers).

The GDPR provides data controllers with flexibility to determine the precise structure and form of the DPIA in order to allow for this to fit with existing working practices.

Although not a legal requirement of the GDPR, the Guidelines propose that controllers should consider publishing at least a summary or the conclusion of their DPIA for accountability purposes.

When is it necessary to consult the supervisory authority? 

It is the responsibility of the data controller to assess the risks to the rights and freedoms of data subjects and to identify the measures envisaged to reduce those risks to an acceptable level and to demonstrate compliance with the GDPR. If the risks have been considered as sufficiently reduced by the data controller the processing can proceed without consultation with the supervisory authority. Where the identified risks cannot be sufficiently addressed by the data controller the data controller must consult the applicable supervisory authority.

When a DPIA is not required

The Guidelines make clear that the fact that the conditions triggering the obligation to carry out a DPIA have not been met does not diminish a controller’s general obligation to implement measures to appropriately manage risks to the rights and freedoms of data subjects and advises that controllers frequently reassess the risks created by their processing activities.

Consequences of non-compliance 

Under the GDPR, non-compliance with DPIA requirements can lead to fines imposed by the competent supervisory authority (e.g. the ICO).  Failure to carry out a DPIA where necessary, carrying out a DPIA in an incorrect way, or failing to consult the competent supervisory authority where required, are all breaches of the GDPR that could each result in fines of 10 million euros or up to 2% of the total worldwide annual turnover, whichever is higher.

Should you require any assistance in assessing whether or not a DPIA is required or in preparing an appropriate DPIA, do let us know. 



Alison Llewellyn

Alison Llewellyn

T:  +44 20 7809 2278 M:  Email Alison | Vcard Office:  London