Last updated: 
3 months 2 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

GDPR: Data Protection Impact Assessments

Saturday, October 14, 2017 - 08:12

The Article 29 Working Party of European data protection supervisors has published the final version of its Guidelines on Data Protection Impact Assessments (DPIAs). These build on the long-standing concept of Privacy Impact Assessments, being similar to normal risk assessments but looking at risks to the individuals whose data are being processed, rather than to the organisation doing the processing. Having identified the risks, the DPIA process should then consider how they may be mitigated, and ensure that this reduces them to an acceptably low level.

Under Article 35 of the GDPR, performing a DPIA is mandatory for any processing activity that represents a high risk to individuals. The Guidelines provide a list of nine characteristics of processing – evaluation or scoring, automated decision-making with significant effect, systematic monitoring, sensitive data, large-scale processing, combining datasets, vulnerable data subjects (including employees), innovative technological or organisational solutions, processing that prevents individuals exercising their rights - and suggest that any activity including two or more of these is likely to require a DPIA. A table of worked examples provides useful comparisons for organisations assessing their own activities. In addition, supervisory authorities are encouraged to make lists both of activities that do require a DPIA and those that do not.

Once a DPIA has been decided on, the next question is which risks need to be assessed. Here the guidelines provide little help. Although "privacy" and "data protection" are different rights in European law, here "Privacy Impact Assessment" and "Data Protection Impact Assessment" appear to be treated as synonymous. Annex 1, which suggests existing processes likely to be satisfactory, includes both types (including the Information Commissioner's PIA Code). It's therefore unclear whether a DPIA should look only at risks to non-public data, or include issues such as potential misuse of public directories (a DP issue, but not a privacy one) or, as suggested on page 6 of the guidelines, risks to all rights and freedoms, including free speech and freedom from discrimination.

The guidelines aren't sufficiently detailed, in themselves, to be used to conduct a DPIA. Instead organisations could look at the various Codes referenced in Annex 1, or else use the list in Annex 2 of features of a DPIA to perform a gap analysis against their existing risk assessment and development processes to determine how these could be developed into an acceptable DPIA.

Formally the legal requirement to perform a DPIA only applies to new activities and those where risks have changed. The draft guidelines contained a specific deadline by which existing high-risk processing should be subject to a DPIA; this has now been replaced by an expectation that this will happen as risks to personal data are periodically reviewed. The guidelines also note that performing a DPIA and publishing a summary can help to build confidence in an organisation and its processing, so there may be benefits from applying the approach more widely.