The General Data Protection Regulation (GDPR or Regulation) is applicable from May 25, 2018 and, for this purpose, many data controllers must perform a data protection impact assessment. The data protection impact assessment has been applied in some Member States of the European Union (e.g. UK, France), even if not fully consistent with GDPR, in order to assess the potential risks of data processing and to take measures that are tailored to the degree of risk identified. In Hungary, however, this legal institution is less known to data controllers, since the Hungarian Data Protection Act does not regulate the data protection impact assessment and does not require the performance of such an obligation.
The obligation to perform a data protection impact assessment connects closely to the principles of data protection by design and by default that are emphasized in the Regulation, since services should be designed so that data protection is already considered from the first step, while the planning and execution of appropriate risk management measures should also happen.
The impact assessment is also closely linked to the accountability principle that requires the development of a data management practice that is consistent with GDPR.
According to Article 35 of the Regulation, “where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. [...]”
Data protection impact assessment is therefore a process in which the data controller reviews the planned data processing operation or operations, examines the potential impact of the data processing on the affected parties, assesses the risks in connection with data processing and the methods of handling the risks and documents them properly.
According to the Regulation (Article 35 (7)), the impact assessment shall cover at least:
- a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects; and
- the measures envisaged to address the risks.
When should a data protection impact assessment be performed?
The Regulation defines some circumstances when a data protection impact assessment is to be carried out. These are the following:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and upon which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
- a systematic monitoring of a publicly accessible area on a large scale.
In addition to the above, an impact assessment should be carried out for any data processing that is likely to result in a high risk to the data subject. In deciding whether or not a data protection impact assessment is necessary, it must be considered primarily what the term "risk" and "high risk" mean for the purposes of the Regulation. Fortunately, with this analysis of the GDPR in this respect, we are not fully without help. At the beginning of April 2017, WP29 published a draft Guidelines on Data Protection Impact Assessments (WP248), which addresses, inter alia, the interpretation of the term “likely to result in a high risk”. Besides this, dr. Győző Endre Szabó, vice-president of NAIH (the Hungarian DPA), also addressed the issue of data protection impact assessment (dr. Endre Győző Szabó: Certain issues of the EU Data Protection Regulation I. - Data portability and data protection impact assessment [article in Hungarian]).
Further assistance will be given to data controllers in that the supervisory authorities must compile and publish a list of data processing activities for which a data protection impact assessment is to be carried out. In addition, the supervisory authorities may compile and publish a list of data processing activities that require no impact assessment. (Regarding the necessary consultations, according to dr. Győző Endre Szabó’s opinion, these lists may only be published in the spring of 2018.) According to dr. Győző Endre Szabó, however, it may be expected that, in order to reduce the administrative burden on SMEs, these companies may be exempted from the obligation to prepare data protection impact assessments under certain circumstances (dr. Győző Endre Szabó, p. 10).
When do not data controllers need to perform a data protection impact assessment?
In some cases, data controllers are exempted from the obligation to carry out an impact assessment. Such cases are as follows:
- if data processing is unlikely to result in high risk,
- for similar processing operations that present similar high risks, a single impact assessment is sufficient, i.e. no separate impact assessment is required (Article 35 (1) of the GDPR),
- where processing pursuant to point (c) or (e) of Article 6(1) (processing is necessary for compliance with a legal obligation to which the controller is subject or processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) has a legal basis in Union law or in the law of the Member State to which the controller is subject, that law regulates the specific processing operation or set of operations in question, and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis (Article 35 (10) of the GDPR),
- if the data processing is on the list of supervisory authorities that provides that no impact assessment is required for the respective processing operation (please also see the previous section above).