Data Protection Impact Assessment (DPIA), Privacy Impact Assessment (PIA) and data protection impact assessment. Three different – and lengthy – terms that mean the same thing and speak for themselves. In case of high-risk processing of personal data, organizations must map out the risks and their impact, and take measures to subsequently mitigate those risks. It is still debatable what high-risk processing entails. European privacy supervisors have drawn up guidelines to clarify this.
When is a PIA needed?
The GDPR mentions a mandatory PIA if a type of processing – in particular processing using new technologies – poses a high risk to the rights and freedoms of those involved. In particular, such a PIA is required in case of 1) profiling and automated decision-making, 2) large-scale processing of special personal data, and 3) systematic and large-scale monitoring of publicly accessible areas.
This is not an exhaustive enumeration of situations in which a PIA is mandatory. A high risk is always the determining factor. European privacy supervisors have identified 9 categories that could indicate a high risk:
- Evaluation or score assignment. This may refer to a financial institution that conducts creditworthiness studies, a fraud database, a tool to assess and predict the health and health risks of consumers, or a company that draws up behavioural or marketing profiles based on the use of the website.
- Automated decision-making with a legal consequence. Processing aimed at making decisions with regard to data subjects that have legal consequences for data subjects or have a significant impact on the data subject in a comparable manner. It is therefore an important factor that the processing must have consequences for the data subject.
- Systematic monitoring. Processing using observation, monitoring or controlling of data subjects. This also includes data collected via networks and monitoring of publicly accessible areas.
- Sensitive data or data of a very personal nature. This may refer to the special category of personal data, but also of data that we all consider to be sensitive. In this respect, it may be relevant whether the data have already been published by the data subject.
- Large-scale processed data It is not known what is meant exactly by large-scale, but the following factors play a role: 1) the number of data subjects, 2) the volume of data and/or the scope, 3) the duration or the permanent nature of the processing activity, and 4) the geographical scope of the processing activity.
- Matching or merging of datasets. This may refer to combining two (or more) different datasets that have been obtained for different purposes. A factor here is that the data subject could not reasonably expect this combination.
- Data relating to vulnerable data subjects. These are for example children, employees, the mentally ill, asylum seekers, the elderly, patients, et cetera. A vulnerable group is in any event a group in which there is an imbalance in the relationship between the data subject and the controller.<0}
- Innovative use/innovative application of new technologies. Innovation is strongly encouraged by companies and governments, but also involves risks. Fingerprints and facial recognition are combined in order to achieve better physical access controls, and sensors are placed to ensure the safety of senior citizens. The use of such technologies may involve new forms of processing in which the risks to the rights and freedoms of data subjects may be high. These risks may be unknown and therefore need to be actively mapped out before proceeding to processing.
- Where data subjects can no longer exercise a right or rely on a service or agreement. This includes processing that aimed at allowing, modifying or denying data subjects access to a service. The supervisors mention the example of a creditworthiness study, which also falls under category #1.
As a rule, it must be assumed that if two or more categories are applicable to the processing, a PIA must be performed. The more categories apply, the more likely it is that the processing involves a high risk. Do you still believe that a PIA does not need to be carried out? Then please motivate and document this. The opinion of the Data Protection Officer (‘DPO’) may be included in this documentation.
Not only is the opinion of the DPO important, but also the opinion of the data subjects themselves. Where appropriate, the controller must ask the data subjects (or their representatives) for their opinion with regard to the processing. This can be done, for example, through a generic study, a request to a works council/staff representation, or by means of a survey. If the controller decides that it is not appropriate to ask for the opinion, the motivation for this must also be documented.
The PIA must be performed prior to processing and must be revised regularly. Have you identified the risks and have you come to the conclusion that you cannot determine any measures that will limit the risks? Then please request prior consultation with the Dutch Data Protection Authority (AP). This means that you must consult the AP before you can start processing.
When is a PIA not needed?
When it is unlikely that processing involves a high risk, a PIA is not mandatory. In addition, other cases are conceivable where a PIA is not mandatory. This is the case when:
- a similar PIA already exists. These are, however, processing operations that are comparable in terms of nature, scale, context, purpose and risks. This may also be applicable to comparable processing carried out by different controllers. In that case, a reference PIA must be available that is shared or made publicly accessible. The measures described in the PIA must then be implemented by the controller concerned. Faithful to the documentation requirement, the GDPR also requires a written explanation as to why it would suffice to use a reference PIA.
- the processing performed before May 2018 has already been checked and authorized by the AP (for example in the case of a mandatory report). A precondition is that the specific circumstances have not changed since then.
- the processing takes place under a legal obligation or a public-law duty, and the legislator has already carried out a PIA on that specific processing operation. The fact of the matter is that, already today, the Dutch government must implement a PIA when drafting new legislation and must take this into account. This exception does not apply if the AP has decided that a PIA is necessary.
- the processing is included in an AP dispensation list. The AP has announced a list of mandatory PIA’s, but no AP dispensation list yet.
- the processing is carried out by an individual doctor, health care professional or lawyer.
The long and the short of it is that the GDPR demands quite a lot from you. In particular, the administrative burden will be high, since you must motivate, document and demonstrate just about everything. To make things easier for you, the AP has said that it will eventually publish a list of processing operations for which a PIA is mandatory. In any event, the AP advises organizations to voluntarily implement a PIA, because this also benefits the organization itself. The performance of a PIA may also present an important accountability tool within the context of the GDPR. With this, the organization can show that it has thought about the need and proportionality of the processing, has assessed the risks, and has covered this as much as possible. This will allow organizations to demonstrate that they have taken appropriate measures to comply with the GDPR. Given that the regulation is primarily based on accountability and transparency, a PIA can therefore be quite useful. European privacy supervisors also recommend that a PIA be implemented in case of doubt.
Please observe that, even if a PIA is not mandatory, you must continue to comply with the general obligation of the GDPR to take measures to manage risks appropriately. Based on the documentation requirement, you must also document this.
If no PIA is performed while it is mandatory, if a PIA is not performed correctly, or if the AP is not consulted while it is required, this could lead to a fine of up to EUR 10 million or 2% of the total worldwide annual turnover. The controller is responsible for performance of the PIA, even though in some cases the processor will perform the actual work. For the processor, the obligation applies to assist the controller with the performance of the PIA and to provide all necessary information.