The phrase ‘rights and freedoms’ occur often in the text of the GDPR. A Data Protection Impact Assessment (DPIA) can be a useful tool for assessing the impact of processing personal data on the rights and freedoms of individuals. Also known as a ‘privacy impact assessment’, a DPIA has two main values:
- incorporating data protection considerations into organisational planning; and.
- demonstrating compliance with supervisory authorities.
If you have a DPO, they are tasked to ‘provide advice where requested as regards the DPIA and monitor its performance’ according to Article 39(1)(c)
When is a DPIA required?
A DPIA is required if the processing is ‘likely to entail a high risk to the rights and freedoms of natural persons’. In determining if a DPIA is required the; nature, scope, context, purpose, type of processing and use of new technologies should be considered.
Examples of processing that will require a DPIA include:
- Conducting ‘a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling; and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person’;
- Conducting ‘processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences’;
- Conducting ‘a systematic monitoring of a publicly accessible area on a large scale’
Here are a few more examples of when you might need a DPIA
- Deciding to use CCTV (particularly facial recognition)
- Targetting marketing to children
- Combining Datasets from different sources
- Tracking location and behaviour
Read more here (Article 35(1))
What should a DPIA include?
A DPIA should include:
- A description of the processing, including its purpose and the legitimate interest being pursued;
- The necessity of the processing, its proportionality and the risks that it poses to data subjects;
- Measures to address those risks (in other words, the data protection by design and data protection by default controls);
When must the supervisory authority be contacted?
Consultation with the supervisory authority is required prior to processing when the DPIA indicates a high risk to data subjects that are not mitigated. In addition to the DPIA, this communication should include:
- Responsibilities of the controllers and processors Purposes and means of the processing
Measures and safeguards;
- Contact details of the DPO;
If the supervisory authority thinks the processing will not be compliant with the GDPR or the controller has not sufficiently mitigated the risks, the supervisory authority will provide advice to the controller and can block processing activities within eight weeks (or six additional weeks in complex situations).
In summary, if you are using new technologies or your processing is likely to impact on the rights and freedoms of the Data Subject, a DPIA is an excellent way of showing that you have thought through all of the risks involved, and you can demonstrate this to the Supervisory Authority.
Let us know if we can help you!
Author: Yvonne Morris
CloudLegal is a tech-enabled legal support consultancy which promises practical commercial and jargon-free advice. We support all company matters, commercial contracts/ Ts & Cs (including software and IT), employment & HR as well as data protection matters. We have various services including:
- our LawChat service which is a convenient way to speak to a legal expert;
- our suite of key Legal Templates available for pre-order purchase;
- our comprehensive Document CheckUp service for our templates;
- a free Request-a-Quote service for custom services from our in-house legal experts (and partner lawyers/ law firms);
- Last but not least, we offer a LawChat Legal Support Packages for business customers who need affordable, convenient and regular legal support. Areas include company setup, commercial contracts/ terms and conditions, intellectual property, data protection services and more. We also offer GDPR Support Packages in addition to Employment Support Packages.