When must you carry out a data protection impact assessment (DPIA)?

I was preparing some slides for a training event I am delivering next month and thought it might be interesting to share some of the end of training “quiz” questions over the next few weeks more broadly than the group of trainees. As they are true/false, there should be a 50:50 chance of getting them right so here goes…

Question

In accordance with the GDPR, we are required to carry out a Data Protection Impact Assessment for all projects that involve processing personal data and any activities (both internal and external) that affect the processing of personal data and impact the privacy of individuals. True or False?

Answer

ESLAF (as I cannot put the answers upside down as in the time-honoured tradition of quiz answers, I will put them backwards!) The GDPR doesn’t say that a DPIA must be carried out for all projects that affect the privacy of individuals although your own internal policy may well take this line, what the GDPR says is that, “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.” Article 35 goes on to give circumstances when a DPIA must be carried out and provides for supervisory authorities or the EDPB to define a list of other circumstances when a DPIA is necessary and indeed both the EDPB and the supervisory authorities have been busy helping to further define when a DPIA is necessary.

The WP29 guidance (wp248 rev.01) was updated to contain a table containing 6 examples of processing that would require a DPIA and usefully examples of possible relevant criteria pushing those activities over the DPIA threshold. Included in that list are: the gathering of public social media data for generating profiles, the use of a camera system to monitor driving behaviour on motorways with automatic number plate recognition (ANPR) to single out cars using their license plates, and a company systematically monitoring its employees’ activities including the monitoring of the employees’ work station, internet activity etc.

The Belgian supervisory authority has published a “black list” of 10 distinct processing activities that would require a DPIA such as the use of CCTV with facial recognition used for the purpose of uniquely identifying a person in publicly accessible areas, the re-use for other purposes and disclosure of sensitive data between distinct data controllers, and the systematic and automated collection and recording of a person’s behaviour. In fact, the EDPB has considered 22 submissions by the supervisory authorities of the 28 member states which contain no less than 260 different types of processing!

Ultimately, while these opinions should be taken into account, it is up to each controller and processor to set their own policy and expectations as to when a DPIA must be carried out on processing operations they are undertaking or envisage undertaking, which as a minimum should include the processing activities set out in the relevant jurisdiction’s guidance and local opinions in addition to the context of the processing and any consistency that a pan-jurisdiction organisation may desire. So unfortunately, while technically the answer to question 1 is “false”, when must you carry out a DPIA really does depend on several factors which extend beyond the three conditions and “high risk processing” catch-all set out in Article 35 of the GDPR!

Philip Brining