In certain cases, privacy legislation imposes a requirement on organisations to evaluate, in advance, the risks to the rights and freedoms of data subjects that result from data processing: a data protection impact assessment ("DPIA").

Organisations should ascertain from time to time whether such a duty applies to them. Under the General Data Protection Regulation ("GDPR"), a DPIA is required when the processing "is likely to result in a high risk to the rights and freedoms of natural persons". It is not easy to evaluate this risk, because it is unclear what may be considered a "high risk". The GDPR provides several examples of high-risk processes. Moreover, the Dutch Data Protection Authority ("DPA") has published on its website the Guidelines on Data Protection Impact Assessment (DPIA) of the Article 29 Data Protection Working Party ("Guidelines") which provide more clarity. These Guidelines contain nine criteria. In principle, when at least two of the criteria are met, a DPIA is required.

The nine criteria set out in the guidelines are as follows:

1. Evaluation or scoring;
2. Automated-decision making with legal or similar significant effect;
3. Systematic monitoring;
4. Data processed on a large scale;
5. Sensitive data or data of a highly personal nature;
6. Datasets that have been matched or combined;
7. Data concerning vulnerable data subjects;
8. Innovative use or applying technological or organisational solutions; and
9. When the processing in itself "prevents data subjects from exercising a right or using a service or a contract".

Examples
The DPA recently published a list (Dutch only) of types of processing that require a DPIA. This list includes: processing for secret investigations or black lists, systematic and/or large-scale processing for fraud prevention, for credit scoring, for assessing the financial situation, systematic and/or large-scale processing of genetic data, health data, exchange of sensitive data and special category data, structural and large-scale CCTV surveillance of public spaces, systematic and/or large-scale flexible camera surveillance, systematic and/or large-scale employee monitoring, processing of location data, processing of communication data, processing through internet of things devices, systematic and extensive profiling, and large-scale observation and influencing of behaviour.  

EDPB checks lists of supervisory authorities
The other supervisory authorities in the EU have also published their own lists of examples. Aiming at harmonisation, the European Data Protection Board ("EDPB") has checked the lists of all the supervisory authorities. In its opinions, the EDPB clarifies that the lists of examples are not limitative and are merely an elaboration of the Guidelines. The EDPB emphasises the importance of the nine criteria mentioned above contained in the Guidelines. It states that the mere processing of a certain type of personal data is not sufficient, because in this case at least two criteria from the list must be fulfilled. Moreover, the EDPB highlights that for large-scale processing, the criteria set out in the Guidelines must be taken into account (the amount of data subjects, the data volume, the period of time, the geographical range).

Conclusion
The EDBP's recommendations have not made it easier to assess whether a DPIA is required. The presence of a "high risk" remains dependent on the specific circumstances of the case. The nine criteria from the Guidelines remain leading.

Do you need help to assess if your organisation needs a DPIA? Please contact Eliëtte Vaal.

This blog was written by Eliëtte Vaal.
This article is part of the IT & Privacy Newsletter.