Following our blog on whether an organisation needs to perform a data protection impact assessment (DPIA), we now explore EU guidance on how to perform one.

Methodology for conducting a Data Protection Impact Assessment

The General Data Protection Regulation (EU) 2016/679 (GDPR) does not define the structure and form for the performance of a DPIA. Instead it provides data controllers with the flexibility to determine a structure and form that is most suitable for their operations. However, referencing Article 35(7) and recitals 84 and 90 of the GDPR, the Data Protection Working Party (WP29) recommends the following process:

  • Prepare a description of the intended processing operations and the purposes of the processing. This includes the nature, scope, context and purpose of the processing.
  • Assess the necessity and proportionality of the processing. That is, do the plans achieve the stated purpose and are there any other reasonable ways to achieve the same result.
  • Assess the risks to the rights and freedoms of data subjects.
  • Consider the measures to address the identified risks and thereby demonstrate compliance with the GDPR.

The WP29 also encourages the development of sector-specific DPIA frameworks which will allow DPIAs to address the specifics of a particular type of processing operation (for example, particular types of data, corporate assets, potential impacts, threats and measures). In order to support data controllers in choosing a methodology, the WP29 DPIA Guidelines include “criteria for an acceptable DPIA” checklist to assist.

Documenting the Data Protection Impact Assessment

A record of the DPIA should be retained for the lifetime of the system or project. If it is determined that a DPIA does not need to be carried out, a record should also be kept of the reasons why a DPIA was not considered necessary.

Publishing the Data Protection Impact Assessment

There is no requirement to publish a DPIA under the GDPR, but the WP29 recommends that data controllers consider publishing all or part of their DPIA to help “foster trust in the controller’s data processing operations and demonstrate accountability and transparency”.

When deciding whether to publish all or part of their DPIA, data controllers should make sure no “commercially sensitive information” or trade secrets are being disclosed or any other specific information which could cause security risks for the controller. The ICO DPIA guidance recommends redacting or removing any sensitive information in this situation, or alternatively publishing a summary.

Timing of the Data Protection Impact Assessment

The GDPR requires DPIAs to be carried out “prior to the processing” (Articles 35(1) and (10), recitals 90 and 93, GDPR). In order to comply with the GDPR, the DPIA should begin as early as possible and, where a processing operation is subject to ongoing changes, the DPIA may need to be continuously updated to ensure that the relevant requirements of the GDPR are being complied with.

The WP29 DPIA Guidelines also state that “carrying out a DPIA is a continual process, not a one-time exercise”. Postponing or not carrying out a DPIA because the DPIA may need to be updated once the processing has begun is, therefore, not acceptable practice.

When to consult the supervisory authority

The controller must consult with a supervisory authority when a DPIA reveals a high risk to individuals which cannot be mitigated or reduced. That is, despite the controller implementing or considering privacy-enhancing measures (such as encryption, if appropriate) in relation to the relevant processing, a high residual risk still arises. Once contacted for consultation, the supervisory authority has eight weeks to provide written advice which can be extended by a further six weeks if the processing is sufficiently complex.

The WP29 provides the following as examples of instances with “high residual risk”:

  • Where the data subjects may encounter significant, or even irreversible, consequences, which they may not overcome. For example, an illegitimate access to data leading to a threat on the life of the data subjects, a layoff, a financial jeopardy and so on.
  • When it seems obvious that the risk will occur. For example, by not being able to reduce the number of people accessing the data because of its sharing, use or distribution modes, or when a well-known vulnerability is not patched.

Data controllers are also required to consult with the supervisory authority where:

  • Applicable member state law requires them to do so.
  • Processing is carried out for the public interest and the controllers need to obtain prior authorisation from the supervisory authority (Article 36(5), GDPR).

Consulting the ICO

In the UK, the process for consulting the ICO requires an email to be sent attaching a copy of the relevant DPIA (ICO DPIA guidance). The following should also be included:

  • A description of the role and responsibilities of any joint controllers or processors.
  • Purposes and methods of the intended processing.
  • Measures and safeguards in place.
  • Contact details of any Data Protection Officer.
  • Any other information that the ICO may require.

Once the ICO has received the relevant DPIA it will conduct a brief screening exercise to ascertain whether there is a residual high risk and, if so, will notify the sender within ten days that the DPIA has been accepted for consultation.

The ICO will then review the DPIA considering whether:

  • The processing complies with the data protection requirements.
  • Risks have been properly identified and reduced to an acceptable level.

The process should be completed within eight weeks (although this can be extended up to 14 weeks in complex cases) as set out above. Where a processing operation may potentially impact on data subjects in other member states and co-operation with them may be required, then this may result in the consultation process taking longer than 14 weeks.

Following a consultation exercise, the ICO will confirm whether:

  • The risks are acceptable and processing can take place.
  • Further measures are required to reduce the risks.
  • All the relevant risks have not been identified and the DPIA needs to be reviewed.
  • The DPIA is not compliant and needs to be repeated.
  • The processing is not GDPR-compliant and should not take place.
  • Formal enforcement action will be undertaken, for example, a limitation or ban on processing.

Sanctions for non-compliance

Failure to comply with the DPIA requirements can lead to significant fines imposed by the applicable supervisory authority. Non-compliance can result in an administrative fine of up to EUR10 million or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher

In addition to considerations listed in Article 83(2) of the GDPR, Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, published by the WP29 on 4 October 2017, suggests that supervisory authorities should consider the following factors in determining the size of the fine imposed:

  • The number of data subjects involved. The basic rule is that the more people affected, the bigger the fine.
  • The purpose of the processing, that is, the extent to which the processing upholds the two key components of the “purpose limitation” principle: purpose specification and compatible use.
  • The damage suffered by data subjects.
  • The duration of the infringement.

Practical Steps

Organisations should consider developing an internal protocol to determine when a DPIA must be carried out under the GDPR. A major challenge of complying with the GDPR’s DPIA requirements is determining whether a DPIA must be carried out in respect of certain processing. Read our blog on when a DPIA needs to be carried out to help in this decision.

If you have any questions on data protection law or on any of the issues raised in this article please get in touch with one of our data protection lawyers.