Share this article on:
The General Data Protection Regulation (GDPR) is a highly complex piece of legislation, but entities should pay particular attention to ensure they have a clear overview of Article 35 and understand how their activities may create risks for individuals, as well as for themselves.
The GDPR is a wide-ranging European privacy law, governing and protecting the data of people living in the EU. It will come into effect on May 25, 2018. Article 35, Data protection impact assessment, is the first Article in Section 3, Data protection impact assessment and prior consultation.
As certain data processing activities use novel techniques or include the processing of more sensitive data, they may present a high risk to data subjects – the people the data refers to. Article 35 describes when and how a data controller should carry out a data protection impact assessment in order to identify and minimize or address these risks.
What Type of Data Requires an Assessment?
The processing of certain data types will always require a data protection impact assessment prior to any processing being executed. Article 35 notes that large scale automated processing of “personal aspects relating to natural persons” will require an impact assessment if the results of the processing “produce legal effects concerning the natural person or similarly significantly affect the natural person”. Importantly for many organizations, the Article clearly states that this includes automated profiling processing. Some have raised the question of whether this means offering discounts to certain customer profiles – which could constitute a legal effect – would require an assessment.
Other data that is specified in the Article is the large scale processing of “personal data relating to criminal convictions and offences” and – through referral to Article 9 – “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”.
More broadly, Article 35 requires impact assessments for “systematic monitoring of a publicly accessible area on a large scale”. This could mean monitoring footfall on the street outside of a retail location or car traffic in a publicly accessible car park or road would require an assessment.
What Must be Included in a Data Protection Impact Assessment?
Should the organization include a data protection officer, they must be involved and consulted during the impact assessment. There are four main pillars that must be addressed in the assessment:
1. A description of how the processing will be carried out as well as the purpose of the processing.
2. A report of the “necessity and proportionality” of the processing compared to the intended outcome e.g. if you are processing web traffic by browser and money spent with the goal of ensuring website optimization for higher paying customers, then processing the physical orIP location of these customers might not be necessary or proportional to your stated goal.
3. An in-depth assessment of the risks that processing the data may create for the data subjects. For example, could your browser/spending study data increase the risk of these customers or browsers being targeted by viruses or malware?
4. The security measures that will be put in place to reduce or address the identified risks.
Best Practices for Compliance
There are some steps that organizations can take to help them to comply with the GDPR standards, such as:
– Auditing data in order to identify what types of data are being stored, how they are being stored, and how they are being processed. An employee should be appointed to manage and take responsibility for processing activities.
– We mentioned above that certain data is more sensitive than others. Different assessment procedures will work better in identifying the risks for different types of data. Determining the optimum procedure prior to commencing the assessment will ensure a more robust result.
– Explore certification or approved codes of conduct. Article 35 states that “compliance with approved codes of conduct referred to in Article 40 by the relevant controllers or processors shall be taken into due account in assessing the impact of the processing operations”.
These three steps can increase the relevance and efficiency of the assessment process, saving time and money while facilitating compliance.