The General Data Protection Regulation (GDPR) is applicable from May 25, 2018 and, for this purpose, many data controllers must perform a data protection impact assessment (DPIA).
The obligation to perform a data protection impact assessment connects closely to the principles of data protection by design and by default that are emphasized in the GDPR, since services should be designed so that data protection is already considered from the first step, while the planning and execution of appropriate risk management measures should also happen. The impact assessment is also closely linked to the accountability principle that requires the development of a data management practice that is consistent with GDPR.
According to the GDPR, where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is
likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
The GDPR defines some circumstances when a DPIA is to be carried out. These are the followings:
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and upon which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences; or
- a systematic monitoring of a publicly accessible area on a large scale.
In addition to those circumstabces described in the GDPR, the competent supervisory authorities shall establish and publish a list of the kind of processing operations which are subject to the requirement for a DPIA ("black list").
Besides black lists, the supervisory authorities may also establish and publish a list of the kind of processing operations for which no DPIA is required ("white list").
Some of the authorities started to publish their draft black / white lists on the basis of the above authorization of the GDPR.
The Belgian Privacy Commission published its guidelines on DPIAs including draft black and white lists (French / Dutch). The black list is available in Annex 2 of the guidelines and it contains 10 items. (You can find a non-official English translation of the list in the article of Sidley Austin LLP published on Lexology and also in this article of Van Bael & Bellis.)
According to the the Belgian Privacy Commission's black list, a DPIA is required, among others, in the following cases:
- "processing using biometric or genetic data;
- obtaining personal data from third parties to determine whether to refuse or annul a service to a data subject;
- processing aimed at evaluating the financial solvency of the data subject;
- processing that could compromise the physical health of the data subjects in case of a data breach;
- processing financial or sensitive data for secondary purposes;
- evaluating personal aspects about work performance, economic situation, health, location, interests, etc.;
- large scale profiling activities; and
- processing of data relating to a large number of data subjects that are publicly disclosed." (source: article of Van Bael & Bellis)
According to ICO's guidelines on DPIAs, "the ICO also requires you to do a DPIA if you plan to:
- use new technologies;
- use profiling or special category data to decide on access to services;
- profile individuals on a large scale;
- process biometric data;
- process genetic data;
- match data or combine datasets from different sources;
- collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
- track individuals’ location or behaviour;
- profile children or target services at them; or
- process data that might endanger the individual’s physical health or safety in the event of a security breach."
The Polish DPA also prepared and published a draft black list. You can find an English summary here prepared by Anna Kobylanska and Marcin Lewoszewski. The Polish list is very detailed and categorizes the processing activities that requires the controllers to carry out a DPIA into 10 groups. The original document is available here.
It seems from the Polish list that DPIAs shall often be prepared in the employment context. For example, the following employment-related processing activities may be affected:
- automatic monitoring of working time or employees work;
- processing of employees' biometric data;
- assessment of employees based on the obsrevation of their work on computer;
- processing based on employees' consent;
- whistleblowing hotlines;
- using centralised database for creating and stroing documentation regarding the employment, where data is transferred to third countries. (source: article of Anna Kobylanska and Marcin Lewoszewski)