Under the GDPR each supervisory authority has to prepare and submit to the European Data Protection Board (EDPB) a list of processing operations that require organisations to conduct Data Privacy Impact Assessments (DPIA).
The Irish Data Protection Commission (DPC) has just released its draft guidance and we thought it would be interesting to compare it to the guidance issued by the UK’s Information Commissioner’s Office (ICO).So here goes:For starters, the GDPR itself is pretty clear on when a DPIA is mandatory:
- When processing is likely to result in a high risk to the rights and freedoms of individuals. This is likely to be the case when the processing uses new technologies.
- When a data controller performs automated decision making based on personal data profiling, large-scale processing of special categories of data or systematic monitoring of publicly accessible areas on a large scale.
- Or when requested by a data supervisory authority.
The DPC has published a list – and it’s not brief – saying you’ll need to do a DPIA when:
|DPIA required||By DPC||By ICO|
|Using personal data on a large-scale for a purpose other than that for which it was collected requires the organisation take into account the link between the purpose, the context of collection, the nature of the data, the consequences of the processing and the safeguards in place. What needs to be taken into account is detailed in Article 6(4).||Yes|
|Profiling vulnerable persons and children||Yes||Yes|
|Profiling to determine access to services||Yes||Yes|
|Monitoring, tracking or observing an individual’s location or behaviour||Yes||Yes|
|Profiling on a large scale||Yes||Yes|
|Processing biometric data to identify an individual||Yes||Yes|
|Processing genetic data||Yes||Yes|
|Invisible processing. When collecting personal data from a source other than the individual without providing them with a privacy notice||Yes||Yes|
|When combining, linking or cross-referencing separate datasets if the action contributes to profiling or behavioural analysis||Yes||Yes|
|Processing data that might endanger an individual’s health or safety in the event of a security breach||Yes|
|Processing if the Irish Data Protection Act of 2017 indicates that specific measures are required to safeguard fundamental rights and freedoms of individuals||Yes|
|Further processing of personal data for archiving purposes in the public interest or for scientific or historical research or statistical; purposes||Yes|
As you can see, they’re pretty much in line with each other, which in the end was one of the core objectives of the GDPR.We suggest reading the entire document that can be found here for the DPC:DPC document
And here for the ICO:ICO document
Remember each organisation needs to assess and document what they’ve done to determine whether a DPIA is necessary for each proposed data processing operation. If after the exercise you’re still not sure if you need to do a DPIA ask your supervisory authority and, as a best practice, start carrying out DPIAs for any new project involving personal data whether or not you think it’s a high-risk exercise. This is what Data Protection by Default and Design is.
Do you have the right processes in place and are you documenting everything? A tool like GDPR365 not only makes sure your documentation is all in one place and easily accessible, it also provides the workflows to do the risk analysis required.