The General Data Protection Regulation (GDPR or Regulation) is applicable from May 25, 2018 and, for this purpose, many data controllers must perform a data protection impact assessment (DPIA). Last week, I summarised the basic rules of DPIAs and collected those cases when DPIAs need to be performed. Below, I focus, among others, on the methodology of the impact assessment, the role of the DPO and we examine the question whether a DPIA is necessary in the case of data processing activities in progress.
The methodology of the impact assessment and the role of the Data Protection Officer
The Regulation does not specify exactly the methodology of the impact assessment, and there may be differences in individual Member States or sector-specific. According to a study published in 2014, the main elements of an ideal data protection impact assessment based on the analysis of various “good practices” are the followings:
"1. Definition of the need for an impact assessment; 2. Determination of the body conducting the procedure and the reference system; 3. Description of the project; 4. Examination of events affecting data movements and other events affecting personal data ;5. Consultation with stakeholders; 6. Risk management; 7. Checking lawfulness; 8. Drafting of recommendations; 9. Preparing and presenting the report; 10. Implementing the recommendations; 11. Compliance review; 12. Centralized records of the investigations conducted (De Hert et al., 2012)." (György Zsolt Balogh - István Böröcz - Attila Kiss - Gábor Polyák - László Gergely Szőke: Methodology of Data Protection Impact Assessment, Médiakutató: Médiaelméleti Folyóirat, Volume XV, Issue 4, pp. 77-92; [published in Hungarian])
Guidelines issued by the authorities may also help in the course of conducting impact assessments. It is worth taking into account the guidelines of CNIL (the French authority) (available in English), the handbook of ICO (UK), or the guidelines of AGPD (the Spanish authority) (available in Spanish).
It is the data controller's obligation and responsibility to carry out the data protection impact assessment, but at the data controllers where a data protection officer is in place, the DPO has an important role in conducting the impact assessment, his advice should be sought on the impact assessment.
Consultation with the supervisory authority
The controller shall consult the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
The wording of the Regulation is not fully clear here but in accordance with the respective guidelines of WP29, "when the residual risks are still high, consultation with the supervisory authority will be necessary."
In addition to the above, "Member State law may require controllers to consult with, and obtain prior authorisation from, the supervisory authority in relation to processing by a controller for the performance of a task carried out by the controller in the public interest, including processing in relation to social protection and public health." (Article 36 (5) of the GDPR)
What to do in the case of data processing activities in progress?
The GDPR does not contain any requirement that data protection impact assessments should also be carried out in respect of data processing activities commenced before the entry into force of the Regulation. However, the Regulation stipulates that "where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations." Accordingly, the review of data processing operations and the evaluation of the risks must be made from time to time, therefore data protection impact assessments may take place sooner or later with respect to data processing operations commenced before the entry into force of the GDPR, provided that the conditions for carrying out the impact assessment are met. The WP29’s respective guidelines strongly recommend that a data protection impact assessment should be carried out regarding data processing commenced before May 25, 2018, to which the impact assessment rules would apply under the Regulation.
The WP29’s respective guidelines also highlight several "good practices" for data protection impact assessments. These include:
- the need for a data protection impact assessment to be evaluated continuously for the data processing, and the existing impact assessment shall be reviewed from time to time,
- it is appropriate to define the tasks, obligations in connection with the impact assessment in the internal rules,
- the publication of all or part (extract)of the completed impact assessment, and
- if it is not clear whether an impact assessment is to be carried out, then an impact assessment should be prepared.