The General Data Protection Regulation (“GDPR”), in force since May last year, provides an obligation to carry out a Data Protection Impact Assessment (“DPIA”) in case of potentially high-risk processing activities. Only three examples of high-risk processing activities are provided in the GDPR itself, but each national supervisory authority (“SA”) is required to establish and make public a list of the kind of processing activities for which a DPIA is required. Recently, the Belgian SA published such a list of specific types of processing activities.
Before we take a look at the list of the Belgian SA, we will discuss what a DPIA is and what it is for. We will end this blog with a description of how a DPIA is generally carried out.
What is a DPIA?
As the name suggests, a DPIA is an assessment of privacy risks which may be related to (new) processing activities. Performing a DPIA helps organisations become aware of privacy risks associated with new and potentially risky processing activities, so that these risks can be eliminated or mitigated as much as possible prior to implementation.
When should a DPIA be carried out?
Under the GDPR controllers must carry out a DPIA if the proposed processing is likely to entail a high risk for the individuals whose data are being processed. The GDPR states that a DPIA is mandatory in particular if the following takes place:
- Systematic and extensive evaluation of the personal aspects of an individual, including profiling;
- Processing of sensitive data on a large scale;
- Systematic monitoring of public areas on a large scale.
This limited list only provides broadly defined processing activities. Therefore, in October 2017, the Article 29 Working Party (called the European Data Protection Board, ‘’EDPB’’ since the GDPR came into force) published the Guidelines on Data Protection Impact Assessment. The Guidelines provide more extensive information and additional examples of processing activities which require a DPIA.
The Belgian Data Protection Authority already published a DPIA draft list last year. After the EDPB published an Opinion on this list, along with Opinions on the DPIA lists of 21 other SAs, the Belgian Authority made several changes. In accordance with the updated list, a DPIA is mandatory if an organisation is planning any of the following types of processing:
- Processing of biometric data (e.g. fingerprints) of individuals in a public area or private area that is publicly accessible;
- Collecting personal data from third parties in order to use that information for making a decision to refuse or end a contract with an individual;
- Collecting health-related data by automated means through an active implantable medical device;
- Collecting personal data on a large scale by third parties in order to analyse or predict the economic situation, health, personal preferences or interests, reliability or behaviour, location or movements of individuals;
- Systematic sharing of sensitive data or data of a very personal nature (e.g. related to poverty, unemployment, social work) between data controllers;
- Large-scale processing of data generated by devices with sensors that send data over the Internet or any other means (e.g. Internet of Things applications like smart TVs and smart energy systems) in order to analyse the economic situation, health, personal preferences or interests, reliability or behaviour, location or movements of individuals;
- Large-scale and/or systematic processing of telephony-, Internet- or other communication data, metadata or localization data of individuals (e.g. Wi-Fi tracking), when such processing is not strictly necessary for the service requested;
- Large-scale processing of personal data where behaviour of individuals is observed, collected, established or influenced in a systematic manner and by using automated means.
How is a DPIA generally carried out?
There are no strict rules on how a DPIA should be carried out, but it should at least document the following elements:
- A description of what types of processing will take place and for which purposes;
- An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- An assessment of the risks to the rights and freedoms of the data subjects;
- The measures that will be used to address the risks and to demonstrate GDPR compliance. For example, minimising the data collected, pseudonymising or anonymising data as soon as possible, tightening access restrictions, or raising the overall level of security.
If the risks that have been assessed are considered too high, without sufficient measures to address them, controllers are obligated to consult their SA before the processing may be carried out. Generally, the SA is required to respond to this consultation within eight weeks.
Controllers are responsible for carrying out DPIAs, but processors are required to assist controllers if this is necessary and the controller requests this. They shall assist by providing all necessary information, such as security measures relating to the processing of personal data.
Thinking about carrying out a DPIA?
Controllers must always seek the advice of their Data Protection Officer (DPO) when carrying out DPIAs. If your DPO needs assistance when carrying out a DPIA, feel free to contact us. Does your organisation not have a DPO yet? Then you may consider hiring a DPO via Legal ICT.
This article was written in collaboration with Demi Rietveld.