News & Views

Data Protection: WP29’s New Guidelines on Data Protection Impact Assessments under the GDPR

26 April 2017

Author: Erkko Korhonen

The Article 29 Working Party (the WP29), which is an independent advisory board on data protection and privacy, has adopted Guidelines (in English) on Data Protection Impact Assessment (DPIA) on 4 April 2017. The guidelines define when and how an impact assessment should be carried out pursuant to the EU General Data Protection Regulation 2016/679 (the GDPR).

In the GDPR, the obligations of controllers regarding DPIAs are defined on a risk basis: according to Article 35 of the GDPR, a DPIA is required when the processing is “likely to result in a high risk” to the rights and freedoms of data subjects.  The DPIA is a process for measuring and demonstrating compliance with the GDPR. The WP29 guidelines provide answers to questions regarding the aspects that a DPIA addresses, the processing operations that are subject to a DPIA, and also how to carry out a DPIA and when the supervisory authority shall be consulted.

Certain types of processing operations require risk assessment and the carrying out of a DPIA. Article 35 provides a non-exhaustive list of the types of operations that require risk assessment.  A DPIA is required to be carried out, for example, in the case of a) a systematic and extensive evaluation based on automated processing, including profiling, b) processing on a large scale of special categories of sensitive data, and c) processing that includes systematic monitoring of publicly accessible area. The WP29 recommends that the possibility of processing operations causing a high risk be considered with the following criteria: 1) evaluation or scoring, including profiling and predicting, 2) automated-decision making with legal or similar significant effect, 3) systematic monitoring, 4) data concerning vulnerable data subjects, and 5) when the processing in itself prevents data subjects from exercising a right or using a service or a contract. It should also be considered whether the data in question is 1) sensitive, 2) processed on a large scale, 3) innovatively used or applied in technological or organisational solutions, 4) data that includes datasets that have been matched or combined, and 5) transferred across borders outside the EU.

The guidelines set forth a rule of thumb for a “high risk” by which a DPIA is required when a processing operation meets at least two of the criteria presented in the guidelines and above. Thus, a DPIA is required, for example, in situations where sensitive data concerning vulnerable data subjects is being processed by a hospital or data is collected through a systematic monitoring and the collected data is being used innovatively. If the processing meets at least two of the criteria and it is considered not to be “likely high risk”, the controller should thoroughly document the reasons for not carrying out a DPIA. Furthermore, the WP29 recommends that when in doubt, one should always carry out a DPIA. Annex 2 to the guidelines sets out criteria for an acceptable DPIA.

The WP29 has presented the following generic iterative process for carrying out a DPIA in its guidelines:

[caption id="attachment_633" align="alignnone" width="980"]Figure from the Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 by the Article 29 Data Protection Working Party Figure from the Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 by the Article 29 Data Protection Working Party[/caption]


The WP29 strongly recommends to carry out DPIAs for processing operations already underway prior to the entry into force of the GDPR (i.e. 25 May 2018) if there will be a significant change to a processing operation after May 2018 (for example, if a company will take a new technology into use or use personal data for a different purpose) or a change to the risks presented by the processing operation. As a matter of good practice, a DPIA should be continuously carried out on existing processing activities. However, it should be re-assessed after 3 years, or perhaps sooner, depending on the nature of the processing and the rate of change in the processing operation and general circumstances.

The now published version of the guidelines is subject to comments until 23 May 2017. The final version of the guidelines on DPIA can be expected in the summer/autumn of 2017.