When a DPIA is necessary – the Irish perspective

 2018-06-21 09:07 AM by
When a DPIA is necessary – the Irish perspective

Under the GDPR each supervisory authority has to prepare and submit to the European Data Protection Board (EDPB) a list of processing operations that require organisations to conduct Data Privacy Impact Assessments (DPIA).

The Irish Data Protection Commission (DPC) has just released its draft guidance and we thought it would be interesting to compare it to the guidance issued by the UK’s Information Commissioner’s Office (ICO).

So here goes:

For starters, the GDPR itself is pretty clear on when a DPIA is mandatory:

  1. When processing is likely to result in a high risk to the rights and freedoms of individuals. This is likely to be the case when the processing uses new technologies.
  2. When a data controller performs automated decision making based on personal data profiling, large-scale processing of special categories of data or systematic monitoring of publicly accessible areas on a large scale.
  3. Or when requested by a data supervisory authority.

The DPC has published a list – and it’s not brief – saying you’ll need to do a DPIA when:  

DPIA required By DPC By ICO
Using personal data on a large-scale for a purpose other than that for which it was collected requires the organisation take into account the link between the purpose, the context of collection, the nature of the data, the consequences of the processing and the safeguards in place. What needs to be taken into account is detailed in Article 6(4). Yes  
Profiling vulnerable persons and children Yes Yes
Profiling to determine access to services Yes Yes
Monitoring, tracking or observing an individual’s location or behaviour Yes Yes
Profiling on a large scale Yes Yes
Processing biometric data to identify an individual Yes Yes
Processing genetic data Yes Yes
Invisible processing. When collecting personal data from a source other than the individual without providing them with a privacy notice Yes Yes
When combining, linking or cross-referencing separate datasets if the action contributes to profiling or behavioural analysis Yes Yes
Processing data that might endanger an individual’s health or safety in the event of a security breach   Yes
Processing if the Irish Data Protection Act of 2017 indicates that specific measures are required to safeguard fundamental rights and freedoms of individuals Yes  
Further processing of personal data for archiving purposes in the public interest or for scientific or historical research or statistical; purposes Yes  

 

As you can see, they’re pretty much in line with each other, which in the end was one of the core objectives of the GDPR.

We suggest reading the entire document that can be found here for the DPC:

DPC document

And here for the ICO:

ICO document

Remember each organisation needs to assess and document what they’ve done to determine whether a DPIA is necessary for each proposed data processing operation. If after the exercise you’re still not sure if you need to do a DPIA ask your supervisory authority and, as a best practice, start carrying out DPIAs for any new project involving personal data whether or not you think it’s a high-risk exercise. This is what Data Protection by Default and Design is.

Do you have the right processes in place and are you documenting everything? A tool like GDPR365 not only makes sure your documentation is all in one place and easily accessible, it also provides the workflows to do the risk analysis required.

Click on the banner below to take a free trial of GDPR365: