A Data Processing Impact Assessment (DPIA) is a process designed to help organisations systematically analyse, identify and minimise the data protection risks of a project or plan.
Article 35(4) of the EU General Data Protection Regulation (“GDPR”) states that the supervisory authorities of the EU Member States (“SAs”) shall establish, publish and communicate to the European Data Protection Board (“EDPB”) a list of processing operations that are subject to a requirement for a DPIA under the GDPR.
As a result, on 3 October 2018, the EDPB published a series of opinions on the proposed lists of processing activities subject to DPIA, as submitted by 22 EU Member States (including the UK). The EDPB assessed the consistency of the proposed lists under Article 35 of the GDPR as interpreted in its Guidelines on DPIAs.
The EDPB opinions are intended to create a harmonised and consistent approach and to avoid significant inconsistencies that may affect the equivalent protection of the data subjects.
In October, the EDPB requested the ICO to update its DPIA guidance after finding the ICO had been too strict with some of its examples of when DPIAs need to be conducted. Initially, the ICO said that a DPIA would need to be carried out where organisations plan to process biometric, genetic or location data. The EDPB disagreed, however.
The EDPB said the processing of biometric, genetic or location data on its own is “not necessarily likely to represent a high risk”. The duty to carry out a DPIA is triggered in those cases if “at least one other criterion”, highlighted as a 'high risk' factor in guidance on DPIAs that the EDPB has endorsed, applies.
In December, the ICO updated its DPIA guidance. The ICO confirmed in each of the following cases that the:
- planned processing of biometric or genetic data;
- intention to track location or behaviour; or
- planned use of innovative technology,
only triggers the requirement for a DPIA where “any of the criteria in the European guidelines” also applies.
Organisations should review and update their existing DPIA templates and policies to reflect these changes and prevent what could be an unnecessary DPIA.