Who is responsible for carrying out a DPIA?
“The controller is responsible for ensuring that the DPIA is carried out (Article 35(2)). Carrying out the DPIA may be done by someone else, inside or outside the organization, but the controller remains ultimately accountable for that task.” Note that the DPO has to be consulted for a DPIA in an advisory role, but is never responsible.
Who should be involved in carrying out a DPIA?
The following first provides a legal answer rooted in the GDPR and then provides additional guidance on who may have to be involved in the process of an impact assessment.
From a legal point of view, the Article 29 Working Party gives the following authoritative advice:
- “The controller must also seek the advice of the Data Protection Officer (DPO), where designated (Article 35(2)) and this advice, and the decisions taken by the controller, should be documented within the DPIA. The DPO should also monitor the performance of the DPIA (Article 39(1)(c)).“
- “If the processing is wholly or partly performed by a data processor, the processor should assist the controller in carrying out the DPIA and provide any necessary information (in line with Article 28(3)(f)).”
- “The controller must ‘seek the views of data subjects or their representatives’ (Article 35(9)), ‘where appropriate’. ” This can take a variety of forms depending on context, including generic studies, involvement of representatives (such as consumer organizations), and surveys. Consent is not a valid form.
Beyond these legally required involvements, the Article 29 Working Party recommends to cover all relevant disciplines (expertise) and responsibilities (decisions). This can lead to the involvement of both, internal staff and external experts. This may for example include the following:
- The business unit that uses the application, instructs affected employees, makes decisions on storage periods, access control, etc.
- The IT department that installs and operates the application and certain technical mitigation measures (as for example firewalls or backup systems).
- The human resource department who may organize awareness campaigns and training, as well as manage non-disclosure agreements with employees.
- The legal department who drafts specific contractual clauses to pass on obligations to processors.
- The software house that that provides the application and may offer (security) updates, maintenance, and evolution.
As explicitly stated by the Article 29 Working Party for DPOs, it is recommended to document the interactions with the involved parties, the advice provided, and the decisions made in the DPIA. This is an important aspect of demonstrating compliance according to Article 5(2) GDPR.
1wp248rev.01, page 14, Section III.D.b), 1st paragraph ↑
2wp248rev.01, page 15, Section III.D.b), 1st paragraph, Highlighting by authors. ↑
3wp248rev.01, page 15, Section III.D.b), 2nd paragraph, Highlighting by authors. ↑
4wp248rev.01, page 15, Section III.D.b), 3rd paragraph, Highlighting by authors, quotation marks changed for better readability. ↑
5wp248rev.01, page 15, Section III.D.b), second half of page. ↑