Skip to main content

On-demand webinar coming soon...

Blog

WP29 issues revised guidelines on Data Protection Impact Assessment (DPIA)

October 18, 2017

An orange gradient background image.

In April 2017, the Article 29 Working Party (WP29) released guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is likely to result in a “high risk” in an effort to help companies understand the new Data Protection impact assessment requirement introduced by the GDPR in Article 35 and Regulation 2016/679. The guidelines were open for public comments until 23 May 2017 and the revised version was published a few days ago.

Overall, the revised version does not contain any major changes from the original one and most of the changes are no more than language tweaks. However, there are a few noticeable ones (detailed below):

  • The Working Party reinforces the importance of the risk-based approach in data protection frameworks
  • Changes to the criteria to consider when determining whether a processing operation is likely to result in high risk
  • Additional practical examples
  • DPIAs are required in some circumstances for existing processing operations
  • The explicit three-year re-assessment requirement was removed
  • Bigger role given to the CISO

 

WP29 reinforces the importance of the risk-based approach in data protection frameworks

Section III of the guidelines now starts with a half-page long emphasis on risks in the context of data protection. The obligation for controllers to conduct a DPIA should be understood “against the background of their general obligation to appropriately manage risks” to the rights and freedoms of individuals. Rights and freedoms of data subjects concerns primarily the rights to data protection and privacy but also involve other fundamental rights such as freedom of speech, freedom of thought, freedom of movement, prohibition of discrimination, right to liberty, conscience and religion. Controllers must continually assess the risks associated to a particular processing activity in order to identify when it may result in a high risk. The risks for each processing operation have to be identified, analysed, estimated, evaluated and mitigated and controllers cannot escape their responsibility by covering risks under insurance policies.

Changes to the criteria to consider when determining whether a processing operation is likely to result in high risk

In order to help companies determine whether a particular processing operation is likely to result in a high risk, the Article 29 Working Party provides a list of criteria to consider. The list went from 10 criteria down to nine and some of the criteria have been specified: “Sensitive data” is now “Sensitive data or data of highly personal nature,” thus expanding the scope of this criterion. The new guideline adds for this criterion that “beyond the provisions of the GDPR, some categories of data can be considered as increasing the possible risk to the rights and freedoms of individuals. These personal data are considered as sensitive (as this term is commonly understood) because they are linked to household and private activities (such as electronic communications whose confidentiality should be protected), or because they impact the exercise of a fundamental right (such as location data whose collection questions the freedom of movement) or because their violation clearly involves serious impacts in the data subject’s daily life (such as financial data that might be used for payment fraud)”. It is interesting to note that the criterion that was removed is “data transfer across borders outside the European Union.”

Additional practical examples

Below the list of criteria, the guidelines include a table with examples of processing and the possible relevant criteria to consider for each. The revised version now offers additional examples:

Example of processing 1

  • An institution creating a national level credit rating or fraud database

 

Possible relevant criteria

  • Evaluation or scoring
  • Automated decision making with legal or similar significant effect
  • Prevents data subject from exercising a right or using a service or a contract
  • Sensitive data or data of a highly personal nature

 

Example of processing 2

  • Storage for archiving purpose of pseudonymised personal sensitive data concerning vulnerable data subjects of research projects or clinical trials

 

Possible relevant criteria

  • Sensitive data
  • Data concerning vulnerable data subjects
  • Prevents data subjects from exercising a right or using a service or a contract

 

Example of processing 3

  • A processing of “personal data from patients or clients by an individual physician, other health care professional or lawyer” (Recital 91).

 

Possible relevant criteria

  • Sensitive data or data of a highly personal nature
  • Data concerning vulnerable data subjects

 

DPIAs are required in some circumstances for existing processing operations

While the first version of the guidelines stated that the requirement to carry out a DPIA applies to processing operations meeting the criteria in Article 35 and initiated after the GDPR takes effect on 25 May 2018, the new version now mentions that the requirement to carry out a DPIA applies to existing processing operations likely to result in a high risk to the rights and freedoms of natural persons and for which there has been a change of the risks, taking into account the nature, scope, context and purposes of the processing. It also adds that a DPIA is not needed for processing operations that have been checked by a supervisory authority or the data protection official, in accordance with Article 20 of Directive 95/46/EC, and that are performed in a way that has not changed since the prior checking.

The explicit three-year re-assessment requirement removed

While there is no change in position regarding the fact that a DPIA, in order to serve its purpose, must be continuously carried out on existing processing activities so as to identify potential changes that would result in a high risk, it is interesting to note that the requirement to re-assess each DPIA after three years is no longer included in the October version, which now only states that as a matter of good practice, a DPIA should be continuously reviewed and regularly re-assessed.

Bigger role given to the CISO

A minor, but nonetheless significant, change appeared in the recommendation to define and document specific roles and responsibilities within the organisation, depending on internal policy, processes and rules. In the new guidelines, the Chief Information Security Officer (CISO) – if appointed – could suggest that the controller carries out a DPIA on specific processing operation, and should help the stakeholders on the methodology, help to evaluate the quality of the risk assessment and whether the residual risk is acceptable, and to develop knowledge specific to the data controller context. Only the DPO was included for this task in the previous version.


You may also like

eBook

Privacy Management

Maturing your GDPR compliance program

This comprehensive eBook explores the key elements of a GDPR compliance program.

September 11, 2024

Learn more

eBook

Privacy Management

Understanding data transfers under the GDPR ebook

In the ebook, we delve into the fallout from Schrems II and explore how organizations based in Europe can best navigate international data transfers under the GDPR.

June 05, 2024

Learn more

Webinar

Privacy Management

Preparing for a new regulation: Lesson learned from the GDPR businesses can apply to the EU AI act?

Join our panel of experts as we celebrate GDPR Anniversary and take a closer look at the relationship between the GDPR and AI Act.

May 23, 2024

Learn more

Webinar

Privacy Management

Navigating data privacy in 2024: Global regulatory updates & compliance strategies

Join our webinar for a comprehensive overview of the latest global data privacy regulations and updates impacting businesses in 2024 and how to prepare.

March 20, 2024

Learn more

Infographic

Privacy Management

OneTrust announces partnership with Europrivacy

Learn how OneTrust and Europrivacy's partnership can help your organization achieve GDPR compliance and build trust with your customers.

December 06, 2023

Learn more

Webinar

Technology Risk & Compliance

Demonstrating GDPR compliance with Europrivacy criteria: The European Data Protection Seal

Join our webinar to learn more about the European Data Protection Seal and to find out what the key advantages of getting certified.

November 30, 2023

Learn more

Webinar

Privacy Management

Revisiting the ICO Data Protection Practitioner's Conference: Addressing your top challenges

Join OneTrust and KPMG UK to discuss the challenges of employee SARs, managing your breach response with third parties, and incident management.

October 25, 2023

Learn more

Infographic

Privacy & Data Governance

Understanding the EU Data Boundary

Download our free infographic and get the information you need to understand the EU Data Boundary and how to properly handle data in the European Union.

September 22, 2023

Learn more

Webinar

Privacy Management

Privacy in practice: PIA & DPIA with PA Consulting

Join OneTrust and PA Consulting as we discuss what makes an effective PIA, best practices, and the benefits of automation.

September 21, 2023

Learn more

Webinar

Privacy & Data Governance

Privacy in practice for data mapping: With PA Consulting and Syngenta

Join OneTrust and panelists from PA Consulting and Syngenta as we explore practical ways to build an effective data mapping program, best practices, and the need for automation.

September 14, 2023

Learn more

Webinar

Governance & Policy Management

EU-US DPF: What next for UK businesses?

Join our expert webinar as we discuss the upcoming UK-US DPF Extension and what UK businesses need to prepare to become DPF-certified.

September 06, 2023

Learn more

Webinar

Privacy Management

Unpacking the EU-US DPF

In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.

June 28, 2023

Learn more

Infographic

Privacy & Data Governance

The 3 priorities of the French DPO: Gain visibility, take action, automate

Download our infographic and learn about the 3 priorities of the French DPO.

May 30, 2023

Learn more

Webinar

Privacy Management

GDPR turns 5: Celebrating data protection

Northern Europe panel - Join our panel of experts as they recap the GDPR, its key concepts, and what it means for organizations and compliance. 

May 25, 2023

Learn more

Webinar

Privacy Management

Global Panel — GDPR & Tech: Key considerations of Privacy by Design and AI in tech

Join our panel of experts as we discuss the impact GDPR had on the tech industry during the past five years, the importance of privacy by design, and what to expect with AI and regulation.

May 25, 2023

Learn more

Webinar

Privacy Management

5 years of GDPR: Milestones, challenges, and opportunities

Eastern European panel - Watch our webinar as we look back on 5 years of the GDPR, AI, and their impact on Europe, the world, and your organization.

May 24, 2023

Learn more

Webinar

Privacy & Data Governance

Global Panel — GDPR & Healthcare: current regulatory guidance and enforcement

In this live webinar, our expert panel examines the first five years of the GDPR, how it changed the healthcare industry, and the changing global regulatory landscape.

May 24, 2023

Learn more

Webinar

Privacy Management

Global Panel — GDPR & Retail: building customer loyalty and trust with consent and privacy

Join us for a live panel as we discuss GDPR's impact on the retail and eCommerce industry and how companies evolved to meet the global regulatory landscape.

May 23, 2023

Learn more

eBook

Privacy Management

Getting started with GDPR compliance

This eBook covers the fundamental information you need to know in order to get your GDPR compliance program started and how OneTrust helps. 

May 23, 2023

Learn more

Infographic

Privacy Management

Comparing the FADP, Revised FADP, and the GDPR

Download our infographic to see how the Revised FADP compares with its original version and the GDPR.

May 23, 2023

Learn more

Webinar

Privacy Management

Global Panel — GDPR & Finance: Staying ahead of the regulatory and cyber landscape

How has the GDPR affected the financial industry? Join our live panel as we examine how it companies evolved to meet the regulatory challenges and what can be done to stay ahead of the curve.

May 22, 2023

Learn more

Webinar

Privacy Automation

OneTrust and Deloitte UK - Data transfers: Assessments & safeguards

OneTrust's Center of Excellence and Deloitte UK will discuss data transfers and GDPR compliance, covering the UK stance, ICO/EDBP guidance, and more.

April 04, 2023 1 min read

Learn more

eBook

Privacy Management

The 3 Priorities for DPOs in France: Gain Visibility, Take Action, Automate eBook | Resources | OneTrust

French DPOs should take three priorities into account when building their data protection and compliance programs and processes in 2023.

February 21, 2023

Learn more

Webinar

Privacy & Data Governance

Data Protection in Financial Services Week: Government keynote and international transfers

This session will examine some key issues and recent developments on international data transfers with contributions from key EU, UK, and US regulators.

February 07, 2023

Learn more

Webinar

Consent & Preferences

Belgian DPA approves TCF action plan: Where we go from here

Belgian DPA approves IAB Europe’s action plan to correct its Transparency & Consent Framework (TCF) violations of the GDPR.

January 12, 2023

Learn more

Webinar

Privacy & Data Governance

Keeping pace with the changing regulatory landscape: UK And EU updates webinar

Learn more about the privacy updates for the UK and the EU, what to expect in the coming year, and how to manage regulatory change.

August 15, 2022

Learn more

Webinar

Ethics & Compliance

GDPR and the EU Whistleblower Protection Directive webinar

Join this webinar to learn how to review your whistleblowing processes to comply with the EU Whistleblower Protection Directive, the GDPR and others.

July 06, 2022

Learn more

Webinar

Privacy & Data Governance

4 years of GDPR

Watch our webinar on the last 4 years of GDPR compliance and trends for the future.

May 05, 2022

Learn more

Webinar

Privacy Management

Privacy rights poland: Enhance Your DSAR process with automation, discovery & redaction

As part of our Privacy Automation webinar series, we discuss why it's important to automate DSAR fulfillment and the latest regulatory trends. 

April 03, 2022

Learn more

Webinar

Privacy & Data Governance

Know your laws: Comparing CCPA & CPRA vs. GDPR

Watch this free webinar and see how the CCPA and CPRA compare with the GDPR.

January 04, 2022

Learn more

Checklist

Privacy & Data Governance

Transfer Impact Assessment (TIA) checklist

This Transfer Impact Assessment checklist provides an overview of the key steps you can take as you perform a TIA.

December 01, 2021

Learn more

Infographic

GDPR's 8 fundamental data subject rights

Download our GDPR's 8 Fundamental Data Subject Rights infographic and learn more about the individual rights guaranteed under the EU's major privacy law. 

August 27, 2021

Learn more

eBook

Privacy & Data Governance

The ultimate guide to GDPR compliance

Download this eBook to get an ultimate guide to understanding the GDPR and implementing steps towards compliance.

August 26, 2021

Learn more

eBook

Privacy & Data Governance

10 steps to meeting the GDPR Article 30 requirement

Download this eBook and learn how to leverage data mapping for your GDPR Article 30 compliance program. 

July 22, 2021

Learn more

White Paper

Privacy Automation

Mastering PIAs & DPIAs: A complete handbook for privacy experts

Unlock the full potential of your privacy program with our complete handbook designed to equip privacy professionals with the essential tools and knowledge for establishing robust PIA and DPIA processes.

July 22, 2021

Learn more

Checklist

Privacy & Data Governance

GDPR compliance checklist

Download our GDPR compliance checklist for recommendations on improving your organization's privacy program. 

June 11, 2021

Learn more