According to the Article 29 Working Party, a Data Protection Impact Assessment (DPIA) is “a process designed to describe the processing [of personal data], assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them”[1].
Article 35.1 GDPR requires data controllers to perform a DPIA when the data processing is likely to result in a high risk to the rights and freedoms of natural persons. Therefore, a DPIA is not always mandatory. However, data controllers are required to always perform the preliminary risk assessment to identify whether the processing is likely to result in high risks to the rights and freedoms of natural persons. This preparatory assessment is an integral part of the DPIA process. Thus, it is possible to say that certain elements of the DPIA are mandatory to, at least, determine if a DPIA is necessary.
The risks to the rights and freedomsto data subjects are referred to in Recital 75 GDPR. Theseare the risks which could lead to physical, material, or non-material damage for the data subject concerned (e.g., being denied access to a service following a false-negative identification).
| Examples of the risks to the rights and freedoms | |
| Discrimination | Identity theft or fraud |
| Financial loss | Damage to reputation |
| Loss of confidentiality of professional secrecy | Unauthorized reversal of pseudonymization |
| Economic or social disadvantage | Prevention from exercising control over personal data |
The GDPR does not define ‘high risk’. However, the Article 29 Working Party produced a list of nine criteria data controllers can follow to understand if the processing can be considered a high risk one[2].
| Criteria for high-risk processing | |
| Criterion 1 | Evaluation or scoring (e.g., profiling) |
| Criterion 2 | Automated decision-making with legal or similar significant effect |
| Criterion 3 | Systematic monitoring |
| Criterion 4 | Sensitive data or dataof a highly personal nature |
| Criterion 5 | Data processed on a largescale |
| Criterion 6 | Matching or combining datasets (beyond reasonable expectations of data subject) |
| Criterion 7 | Data concerning vulnerable data subjects |
| Criterion 8 | Innovative use or applying new technological or organizational solutions |
| Criterion 9 | When the processing in itself prevents data subjects from exercising a right or using a service or a contract |
Researchers performing their research activities should consider all of them to understand whether a DPIA is required. Yet, criteria four and eight are particularly relevant for the purpose of this document. Criterion four matterswhen biometric data processed are processed during the research activity. Criterion eight isimportant in the context of ICT research since this activity might introduce new technology to process data (e.g., innovative ways to capture and analyze voice samples).
Article 35.4 GDPR requiresnational supervisory authorities to publish the listof data processing activities for which a DPIA is mandatory[3]. This might offer further guidance as to what constitutes a processing required a DPIA, and researchers should pay attention to the position of relevant supervisory authorities. Also, researchers should seek guidance from the organization’s DPO, given the complexity of the task at hand (see also on this: “DPIA” subsection in the Main Actions and Tools section of the General Part of these Guidelines)
In order to be able to demonstrate compliance, the assessment whether the processing is likely to result in high risks to the rights and freedoms of natural personsshould be documented and kept.
References
1Article 29 Data Protection Working Party, ‘Guidelines on Data Protection Impact Assessment (DPIA) and Determining Whether Processing Is “Likely to Result in a High Risk” for the Purposes of Regulation 2016/679’, October 2017, 4. ↑
2Article 29 Data Protection Working Party, 9–11. ↑
3In this respect, national supervisory authorities have published in their websites the corresponding list. In some cases, the EDPB has already issued an opinion on the matter regarding the activities included in each list. For further information please seeEuropean Data Protection Board, ‘Opinion 6/2019 on the Draft List of the Competent Supervisory Authority of Spain Regarding the Processing Operations Subject to the Requirement of a Data Protection Impact Assessment (Article 35.4 GDPR)’, March 2019. ↑