Data Protection Impact Assessment
Home » IoT » Accountability and oversight » Data Protection Impact Assessment

A DPIA is not always compulsory in the case of IoT development (see “In what cases must I carry out a DPIA” subsection within “Data Protection Impact Assessment”, “Main Tools and Actions”, Part II of these Guidelines). It depends on whether the risks associated with the processing are high or not, according to Article 35(3) of the GDPR. However, it is highly recommended as it supports accountability. For instance, DPIA is compulsory if processing involves a systematic monitoring of a publicly accessible area on a large scale, or it is intended at evaluating or scoring vulnerable populations. In any case, the WP29 included some fundamental criteria in its Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679[1].

In case of doubt, consultation of the competent supervisory authority prior to processing is highly recommended (see the “Data Protection Impact Assessment” section of the “Main Tools and Actions”, Part II of these Guidelines).

The CNIL created an excellent tool aimed at providing advice on how to perform a Privacy Impact Assessment[2], which includes a well-designed and practical advice. Consulting it is highly recommended: https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-piaf-connectedobjects-en.pdf

Checklist
  • Verify whether you need to conduct a DPIA for your processing activity.
  • Document this verification (no matter whether it was affirmative or not).

If a DPIA is necessary:

  • Start as early as ever possible (following the principle of Data Protection by Design).
  • Get an overview of what a DPIA is.
  • Use the guidance and templates provided by the competent Data Protection Supervisory Authority (DPA) where possible.
  • If not (your DPA does not provide such material or you have to cater to many areas of competence of different DPAs), follow the guidance provided by the Article 29 Working party in wp248rev.01.
  • Assemble the team necessary to conduct the DPIA.
  • Consider ways of facilitating your work.

 

References

1A29WP, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, Adopted on 4 April 2017 As last Revised and Adopted on 4 October 2017, at: https://ec.europa.eu/newsroom/article29/items/611236/en .

2CNIL, Privacy Impact Assessment. Application to IoT devices. February 2019. At: https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-piaf-connectedobjects-en.pdf

Skip to content