Data protection impact assessments – when will EU businesses be required to carry them out?

Out-Law Analysis | 20 Jan 2015 | 3:01 pm | 8 min. read

FOCUS: New EU data protection laws are likely to require businesses operating in the EU to undertake data protection impact assessments.

The plans would make it mandatory for data protection impact assessments (DPIAs) to be carried out when organisations are thinking about engaging in certain personal data processing activities.

However, the precise rules on when businesses will need to carry out DPIAs obligations and what those assessments should entail are the subject of intense debate among EU law makers.

Here we look at what rules have been drafted on DPIAs under the proposed new General Data Protection Regulation and what conducting such an assessment will mean for businesses in practice.

Data protection impact assessments

Data protection, or privacy, impact assessments are used by organisations to identify, understand and address any privacy issues that might arise when developing new products and services or undertaking any other new activities that involve the processing of personal data.

In the UK, the Data Protection Act (DPA) does not oblige organisations to conduct privacy impact assessments, but the ICO has said they are useful 'best practice' tools for organisations to use and has issued guidance on how organisations can get the most from such assessments.

EU data protection reforms

Planned changes to EU data protection laws look set to change the voluntary nature of conducting DPIAs – many organisations could find themselves obliged to undertake such assessments in future.

In 2012, the European Commission proposed a new EU General Data Protection Regulation which outlined its plans to replace the existing general requirement organisations have to notify regulators about their personal data processing activities. In its place, the Commission proposed a new mandatory DPIA framework.

Under the Commission's plans, businesses would have to conduct a DPIA before proceeding with 'risky' personal data processing activities. The Commission said it favoured this measure because the "indiscriminate" notification regime had not always contributed "to improving the protection of personal data".

Specifically, the Commission said a data protection impact assessment would need to be carried out by data controllers, or processors acting on their behalf, "where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes". The assessment would need to look into "the impact of the envisaged processing operations on the protection of personal data".

The Commission outlined a non-exhaustive list of examples of 'risky' processing activities for which a DPIA would need to be conducted. Examples include some automated processing operations and other processing activities that use information about individuals' health or race, large scale video surveillance in public areas, the processing of personal data about children, or using genetic or biometric data, within "large scale filing systems".

Under the Commission's plans, it would retain the power to set precise "criteria and conditions for processing operations requiring a data protection impact assessment", as well as the standards and procedures to be adhered to when undertaking such a review. However, it did set out what basic information businesses would have to include in their DPIA.

"The assessment shall contain at least a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned," according to the Commission's plans. It said data controllers should also generally have to consult with individuals about their "intended processing".

If a DPIA "indicates that processing operations involve a high degree of specific risks to the rights and freedoms of data subjects", businesses would be required to consult regulators about this and "make proposals to remedy such situation", according to the proposals. Businesses that fail to conduct a DPIA when they are required to, or which do not consult with regulators about appropriate safeguards when 'high risk' processing activities are identified, would face a potential fine under the new Regulation.

Differences of opinion

The Commission's proposals have been scrutinised by EU law makers within the European Parliament and Council of Ministers since they were first outlined. The Parliament and Council must reach a consensus on the wording of the new Regulation before it can be finalised and brought into force.

The Parliament and Council have been working on separate amended versions of the Commission's draft. In spring last year the Parliament set out a suggested new Regulation, including proposed changes to the DPIA rules. The Parliament's proposals describe DPIAs as "the essential core of any sustainable data protection framework" and said they can help "fundamentally limit" data breaches and intrusions of privacy if they are "thorough".

Justice ministers from each EU country that make up the Council group negotiating on the data protection reforms have yet to reach a similar agreement on the Regulation's drafting. However, a document published last year does offer clues about the approach the Council might take when final negotiations with the Parliament and Commission on the wording of the Regulation eventually begin.

Both the Parliament and Council oppose giving the Commission power to set the criteria, conditions, standards and procedures for DPIAs.

Does your organisation's personal processing involve 'specific risks' to privacy?

Under the Parliament's plans, every organisation would have to conduct a "risk analysis" of their intended personal data processing activities. The analysis would have to look at "the potential impact" of the processing on individuals' "rights and freedoms", and identify whether the processing is "likely to present specific risks".

In most cases where such 'specific risks' are identified, organisations would be forced to undertake a more comprehensive DPIA before proceeding with the processing. This would include cases where a business intends to process the personal data of more than 5,000 people in a year.

Other examples of processing operations likely to present specific risks, and triggering DPIA obligations under the Parliament's plans, could include those where businesses intend to build profiles about individuals, as well as where the data being processed is that of a child or is other sensitive personal information, or where there would be "large scale" automatic monitoring of public areas. In addition, a DPIA would need to be conducted if an organisation's risk analysis found that a data breach incident would "likely adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject".

The Parliament said a DPIA would have to "have regard to the entire lifecycle management of personal data from collection to processing to deletion". It set out the type of information businesses would have to outline in a DPIA report.

A DPIA should have to include "a systematic description" of the personal data processing activities businesses envisage undertaking, as well as what the purposes of the operations are and what "legitimate interests", if any, the businesses are pursuing. Businesses would also have to include their own assessment of the necessity and proportionality of the processing and the risks to individuals' rights and freedoms it raises, and the measures they intend to take to "address the risks and minimise the volume of personal data which is processed".

An explanation of data privacy and security safeguards and "a general indication of the time limits for erasure of the different categories of data" to be processed would also need to be stipulated. Further information about the intended types of organisations that businesses intend to share the data with and details of any plans they have to transfer the data overseas would also need to be included, under the plans.

In some cases businesses would need to consult with data protection authorities about their personal data processing intentions. In those cases the regulators would assess whether the activities would comply with the new Regulation.

The need to consult with regulators could arise where businesses find, through their DPIA, that their processing is "likely to present a high degree of specific risks". Regulators would also have the power to demand access to any DPIA so as to assess businesses' compliance.

Under the Parliament's plans, information set out in the DPIA would be subject to a data protection compliance review that businesses would have to undertake at least every two years. The results of those reviews would be subject to potential access by regulators.

The Parliament's proposals could also force businesses to notify individuals if a DPIA indicates that their processing operations present a "high risk" to their rights and freedoms so as to meet their 'fair processing' disclosure obligations.

Furthermore, businesses would have to consider the results of DPIAs when reviewing whether their personal data processing activities would adhere to the Regulation's requirements, under the Parliament's proposals on 'data protection by design'. Similarly, the DPIA results would also need to be taken into account by companies when assessing the security of their processing obligations, under the Parliament's plans.

Consult with regulators on 'high risk' processing operations only?

Businesses face less prescriptive rules on DPIAs under the Council's proposals (44-page / 491KB PDF). It said that organisations should be required to conduct a DPIA "where a type of processing … is likely to result in a high risk for the rights and freedoms of individuals".

The Council explicitly references processing based on new technologies as triggering the need for a DPIA, and it has provided guidance for businesses on what to consider when assessing whether their operations are of 'high risk'. If processing is likely to lead to discrimination, identity theft, financial loss or reputational damage, for example, it can be labelled as 'high risk', according to the plans.

A list of processing operations that the Council would consider to be likely to be of 'high risk' is much shorter than that of the Parliament's. It refers to certain processing activities that are based on profiling, the processing of sensitive data and the monitoring of people in public areas on a large scale as examples.

However, the Council has proposed to allow national data protection authorities the freedom to outline more precisely other types of processing operations for which a DPIA would be required. Businesses would also need to consult with individuals about 'high risk' processing activities.

The Council's proposals are also less prescriptive about the type of information businesses would have to include in their DPIAs compared to the Parliament. Under its proposals, businesses would have to provide a "general description" of their intended processing, an evaluation of risks and measures envisaged to address them, including safeguards, and the "security measures and mechanisms" they intend to put in place to protect data privacy.

Businesses would generally be able to go ahead with personal data processing operations of a 'high risk' nature if they put in measures to "mitigate the risk" after a DPIA has been carried out. However, the regulators would have powers to set out the type of processing activities that businesses would have to consult them on, and would be able to step in to advise companies where it is of the view that risks have either been "insufficiently identified or mitigated", according to the proposals.

Technological change and data protection

Although there are varying opinions on how the new DPIA regime should be drafted, EU law makers are clear that new ways of processing personal data triggered by technological innovation should be subject to scrutiny, at least by businesses themselves and their data protection officers, and often by regulators.

For businesses at the forefront of new technology, such online retailers, digital health service providers and 'connected car' manufacturers, major changes are coming. Those companies should start considering now how they might meet their new legal obligations in the most efficient and effective manner.

Kathryn Wynn is an expert in data protection law at Pinsent Masons, the law firm behind

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.