GDPR-Series: Data protection impact assessment (DPIA)

As of 25 May 2018, the General Data Protection Regulation (‘GDPR’) will apply. Under the GDPR, the performance of a data protection impact assessment (‘DPIA’), in Dutch a ‘data protection impact assessment’, is made mandatory for organizations for certain data processing operations.

In the Dutch Personal Data Protection Act (‘Wbp’), this assessment already exists under the name of privacy impact assessment (‘PIA’). Under the Wbp, however, the implementation of this assessment is voluntary for organizations. This will therefore change as of 25 May 2018.

What is a DPIA?

A DPIA is an instrument with which organizations can use to provide insight into the privacy risks prior to data processing, in particular by evaluating the origin, the nature, the specific character and the seriousness of the privacy risks. If necessary, measures can then be taken to reduce the privacy risks.

For which data processing operations do you perform a DPIA?

Not every data processing requires an organization to carry out a DPIA. A DPIA is only mandatory if data processing is likely to pose a high privacy risk to individuals. This applies in particular to data processing using in particular new technologies.

A DPIA should in any case be carried out if an organization:

  • systematically and comprehensively assesses personal aspects, such as profiling;
  • processes special personal data on a large scale;
  • systematic monitors people in a public area on a large scale (e.g. with camera surveillance).

Examples of such data processing are according to the European supervisory authorities:

  • a hospital that processes patient data;
  • a transport company that processes the travel information of people travelling by public transport in a particular city, for example by tracking them via travel cards;
  • a processor specializing in market research who, on behalf of an international fast-food chain, processes customers’ current location data for statistical purposes;
  • an insurance company or bank that processes customer data;
  • a search engine that processes personal data in order to display advertisements based on internet behavior;
  • a telephone or Internet service provider that processes data about customers’ telephone and/or Internet behavior, such as content, traffic and location.

Other data processing activities may also qualify for a DPIA due to the high privacy risk. In determining whether this is the case, the number of data subjects, the amount of data processed, the duration of the data processing and the geographical scope of the processing must be taken into account.

The Dutch Supervisory Authority ( “Autoriteit Persoonsgegevens” hereinafter referred to as: “AP”)  will clarify in due course with a list of processing operations for which a DPIA is mandatory. Until then, the European regulators recommend that, in case of doubt, a DPIA should always be carried out.

Why perform a DPIA?

Performing a DPIA can be beneficial for data protection, but also for an organization itself. By means of a DPIA, costly adjustments in processes, redesign of systems or discontinuation of a project can be prevented by early insight into the most important privacy risks. In doing so, an organization also implements the principles of “privacy by design” and “privacy by default”, as required by the GDPR.

A DPIA can also take care of, among other things, increasing the privacy awareness within an organization, improving the service and decision making, improving the feasibility of a project and strengthening the trust of customers and employees in the way in which personal data are processed within the organization and privacy is respected.

How to carry out a DPIA?

An organization that is obliged under the GDPR to appoint a data protection officer (‘DPO’) must seek the advice of the DPO in the execution of the DPIA. If an organization also uses a processor for data processing, that processor must assist the organization in the execution of the DPIA by, among other things, providing the necessary information about, for example, the security measures in the systems and software used by the organization. Advice can also be sought from those involved in the execution of the DPIA.

An organization can choose how it carries out a DPIA, as long as the DPIA contains at least the following:

  • a systematic description of the intended data processing operations and their purposes;
  • an assessment of the necessity and proportionality (isn’t the invasion of the privacy of the data subjects disproportionate in relation to the purpose?) of the data processing operations;
  • an assessment of the privacy risks to data subjects;
  • the measures envisaged to (1) address the risks (such as safeguards and security measures) and (2) demonstrate that the organization complies with the GDPR.

The professional association of IT auditors (NOREA) has drawn up a set of guidelines for the implementation of a PIA. Since the content of a PIA under the Wbp is virtually the same as that of a DPIA under the GDPR, this guide can probably also be consulted after 25 May 2018.

How often do DPIA’s take place?

Not only prior to data processing, but also during or after data processing, adaptation or repeated performance of a DPIA may be necessary. This is the case, for example, if the outcome of the previous DPIA (possibly) changes due to changes in the data processing or the circumstances underlying the data processing. An organization must always (continue to) monitor this.

Consultation of the Personal Data Authority

If a DPIA shows that data processing does indeed pose a high privacy risk if an organization does not take measures to limit the privacy risk, an organization must consult the AP prior to data processing. The AP then assesses whether the intended data processing is in conflict with the GDPR and, if so, will advise an organization on this.