EU Data Protection Authorities Issue Draft Guidance on When Data Protection Impact Assessments Are Required under New GDPR

On April 4, 2017, the Article 29 Working Party ("WP29"), the group representing national data protection regulators in the European Union, following their April plenary meeting, issued guidelines (the "Guidelines") on Data Protection Impact Assessments ("DPIAs"), which will be used to measure compliance with the General Data Protection Regulation ("GDPR"). The Guidelines are now open for public consultation. Comments can be sent to the WP29 until May 23, 2017, before the final adoption, to either of the following email addresses: JUST-ARTICLE29WP-SEC@ec.europa.eu and presidenceg29@cnil.fr.

The GDPR introduces a new regime for the protection of personal data in the European Union, and it will apply starting on May 25, 2018. In line with the new framework, businesses will have to comply with new stringent requirements and obligations.

DPIA Guidelines

The Guidelines (i) help clarify which processing operations are subject to a DPIA, (ii) provide some useful criteria to consider when assessing whether a DPIA is necessary and (iii) describe the process of carrying out a DPIA.

Conducting a DPIA is one of the new requirements introduced by the GDPR. In accordance with Article 35 of the GDPR, data controllers should conduct an assessment of the impact of their processing activities when these could result in “a high risk to the rights and freedoms of natural persons.” In such cases, a DPIA must be conducted prior to processing the data (something that might be difficult to achieve). The DPIA will have to include, among other items, (i) a description of the processing operations and the purposes of each operation, (ii) an assessment of the necessity and proportionality of the processing, (iii) the risks related to the processing and (iv) the measures in place to address and to demonstrate compliance with the GDPR.

The Guidelines specify that a single DPIA could be used to assess multiple processing operations that present similar risks and that when processing operations involve joint controllers, they will need to define their respective obligations precisely.

Processing operations that require a DPIA to be carried out will include, inter alia:

• Evaluation or scoring (including profiling and predicting): This could include a bank that screens its customers against a credit reference database or a biotechnology company that offers genetic tests directly to consumers in order to assess and predict disease/health risks;
• Processing of data concerning vulnerable data subjects: This includes employees who, according to the WP29, would have difficulties opposing the processing performed by their employer for human resources management;
• Processing related to the use of a new technology;
• Systematic monitoring: This is a criterion for the WP29 because the personal data may be collected in circumstances in which the data subjects may not be aware of who is collecting their data and how the data will be used;
• Processing of sensitive data: This includes special categories of data as defined in Article 9 of the GDPR (for example, information about individuals’ political opinions) as well as personal data relating to criminal convictions or offenses. Examples would be a patient’s medical records kept by a hospital or an offender’s details kept by a private investigator;
• Large-scale processing of personal data: This is defined using similar criteria to those provided by the WP29 in its guidelines regarding the Data Protection Office, i.e., factors such as number of data subjects, volume or geographical reach;
• Data transfer across borders outside the European Union, taking into consideration factors including the envisaged country or countries of destination and the possibility of further transfers or the likelihood of transfers based on derogations for specific situations set forth by the GDPR; and
• Processing of data that have been matched or combined.

Other Outcomes of the April Meeting

At the same WP29 meeting, the final version of the guidance on data portability, the Data Protection Officer role and lead supervisory authority were adopted. The final guidelines can be found here:

• Guidelines on the right to "data portability", wp242rev.01 
• Guidelines on Data Protection Officers ('DPOs'), wp243rev.01
• Guidelines on the lead supervisory authority, wp244rev.01

(See also our December 2016 legal update on the guidance.)

The WP29 also adopted an opinion on the draft e-privacy regulation proposed by the European Commission in January 2017. (For more information, see the Law360 article in which our partner Charles-Albert Helleputte is quoted.)