Data Protection Impact Assessment: Esential aspects

Data Protection Impact Assessment: Esential aspects

By its approval and entry into force, the GDPR introduced in 2018 a new concept in the form of an obligation intended to improve the safeguards for the processing of personal data when the controller detects that there is a high risk. This new mechanism is known as a Data Protection Impact Assessment (DPIA).

What is a Data Protection Impact Assessment?

The DPIA, as defined by the AEPD, is “a tool that makes it possible to assess in advance the potential risks to which personal data are exposed depending on the processing activities carried out with them“.

This DPIA makes it possible to determine the implications that a processing operation may have on the rights and freedoms of data subjects where such processing is likely to give rise to a high risk, inter alia, because of the type of personal data to be processed or the environment and context in which the personal data are to be processed, for example, through the use of certain technologies such as artificial intelligence.

The DPIA should be carried out before the processing in question is initiated, as the aim is to measure the impact of the processing before it occurs and thus to detect and mitigate potential risks before they materialise.

Processing operations that require a DPIA

The AEPD, following the criteria of the European Data Protection Bureau, has published an indicative list of processing operations that require a DPIA, these being, among others, the following:

• Processing involving the systematic and extensive observation, monitoring, supervision, geolocation or control of the data subject, including the collection of data and metadata through networks, applications or in publicly accessible areas, as well as the processing of unique identifiers enabling the identification of users of information society services such as web services, interactive TV, mobile applications, etc.
• Processing involving the use of special categories of data, data relating to criminal convictions or offences or data enabling the determination of financial or creditworthiness status or the deduction of information on individuals relating to special categories of data.
• Processing operations involving the use of new technologies or an innovative use of established technologies, including the use of technologies on a new scale, for a new purpose or in combination with other technologies, in a way that involves new forms of data collection and use with a risk to the rights and freedoms of individuals.

What should a DPIA include?

In carrying out a DPIA, a number of aspects should be taken into account which should be included in the implementation of the DPIA, the essential aspects being the following:

• A systematic description of the envisaged processing operations and the purposes of the processing, including, where appropriate, the legitimate interest pursued by the controller;
• An assessment of the necessity and proportionality of the processing operations in relation to their purpose;
• An assessment of the risks to the rights and freedoms of data subjects, and
• The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.

The above are the minimum and essential requirements that any DPIA must have in order to be considered correctly carried out by the AEPD, so that the rights and freedoms of data subjects are guaranteed, but it is always advisable to carry it out as completely as possible in order to proceed with risk processing with all the necessary guarantees.

Other essential aspects

Once the DPIA has been carried out, and depending on the processing operations to be carried out (taking into account the types of personal data processed or the context in which they are processed), and even when determining the measures to be applied, it is possible that the risk to the rights and freedoms of data subjects may still be high, which is why, in this case, a prior consultation with the supervisory authority should be carried out.

As the AEPD itself points out, “the purpose of the consultation with the supervisory authority is not to obtain advice in relation to general aspects of compliance with data protection regulations (legal bases, proportionality, necessity, minimisation, information, data subjects’ rights, etc.), nor to obtain approval of the processing by the supervisory authority”, but “its purpose is to guide the controller in relation to those risks that it has not been able to identify or sufficiently mitigate“.

In order to carry out the prior consultation with the supervisory authority, at least the following information should be provided:

• Where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular in the case of processing within a corporate group.
• The purposes and means of the intended processing.
• The measures and safeguards put in place to protect the rights and freedoms of data subjects.
• Where applicable, the contact details of the data protection officer.
• The DPIA.
• Any other information requested by the Supervisory Authority.

It is important to carry out the DPIA correctly, when necessary, as carrying out high-risk processing without doing so may result in administrative fines of up to €10,000,000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global turnover of the previous financial year, whichever is greater.

At Letslaw by RSM  we have a highly experienced team in Data Protection as well as in carrying out DPIA, and we can advise you and help you to carry out high-risk processing with the greatest guarantees.