Clarification is expected shortly from the Irish Data Protection Commission (“DPC”) in relation to those data processing activities which require a data controller to conduct a mandatory Data Protection Impact Assessment (“ DPIA ”) in advance of data processing. Caitlín Love explains why your organisation needs to know about it.
In brief: The DPC is expected to publish its finalised list later this year of data processing activities which require a data controller to conduct a mandatory DPIA in advance of data processing. Your organisation or company is more than likely a data controller in respect of some or all of the personal data that it holds and it is therefore important for your organisation to be prepared and:- 1. Know what a DPIA is; 2. Understand when a DPIA needs to be carried out; and 3. Be able to identify which processing activities are likely to require a mandatory DPIA before processing the data.
The 25th May 2018 (the date upon which the General Data Protection Regulation (“GDPR”) came into force) has come and gone with relative ease meaning its business as usual for many, the only difference being that the European Union is now expected to boast a more data protection friendly landscape as a result.
There are however some areas of the GDPR which require clarification and expansion by way of national law and guidance. One area which requires clarification is confirmation of those data processing activities that require a data controller to conduct a mandatory DPIA in advance of processing data. A data controller is any “natural or legal person… which determines the purposes and means of the processing of personal data” and consequently includes most businesses and public sector entities.
WHAT IS A DPIA?
A DPIA is essentially a risk-based assessment, which requires a data controller to weigh up the impact of the intended processing operations on the affected data subjects’ privacy rights against the desired outcome of the processing in order to determine if the processing is proportionate and justifiable.
Article 35(7) of the GDPR sets out what is required, as a minimum, in any DPIA:-
- a systematic description of the processing operations envisaged and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- an assessment of the risks to the rights and freedoms of data subjects; and
- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned.
WHEN DO I NEED TO CARRY OUT A DPIA?
Where a certain type of data processing is “likely to result in a high risk to the rights and freedoms of natural persons” then the data controller must carry out a DPIA prior to the processing. Article 35(3) sets out some examples of when a DPIA will be required by a data controller, namely where the intended processing activity involves:-
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or “similarly significantly” affect that individual;
- processing on a large scale occurs in relation to special categories of personal data, i.e. sensitive data or personal data related to criminal convictions and offences; and
- systematic monitoring of a publicly accessible area on a large scale.
An obligation falls on the DPC to establish and publicise a list of additional processing activities which mandate data controllers to conduct a DPIA in Ireland. The DPC has recently published its draft list of such activities (available on the DPC website).
The draft list prepared by the DPC sets out the following processing activities as those which require a mandatory DPIA before proceeding:-
- Using personal data on a large-scale for a purpose(s) other than that for which it was initially collected;
- Profiling vulnerable persons, including children, to target marketing or online services at such persons;
- Using profiling or special category personal data to determine access to services;
- Monitoring, tracking, or observing individuals’ locations or behaviours;
- Profiling individuals on a large-scale;
- Processing biometric data to identify an individual;
- Processing genetic data;
- Indirectly sourcing personal data where transparency requirements are not being met;
- Combining, linking or cross-referencing separate datasets where such linking contributes to profiling or behavioural analysis of individuals;
- Processing personal data based on legislative measures under the Data Protection Act 2018 where suitable and specific measures are required to safeguard the fundamental rights and freedoms of individuals; and
- Further processing of personal data for archiving purposes in the public interest, scientific or historical research or statistical purposes.
This list was submitted to the general public for consultation in early June and the deadline for feedback was 4th July 2018. Once this feedback has been reviewed and addressed, a finalised list will be prepared and submitted by the DPC to the European Data Protection Board for approval.
As is evident from the list above (which is subject to finalisation), and the guidance provided under the GDPR, it appears that no definitive examples of those processing activities that do or do not require a DPIA will be provided, leaving it a matter of subjective interpretation for a data controller as to when to conduct a DPIA. A common misconception in this respect is likely to be that the requirement for a DPIA falls only to those large multi-national corporations whose businesses revolve around large scale data collection and processing. We would advise caution in this respect however, as the DPIA requirement could equally fall on smaller SMEs and businesses where certain processing activities raise a question mark or concern in terms of infringing data subjects’ rights for a disproportionate aim, regardless of whether that aim is legitimate or not. In this respect, particular consideration should be given by those data controllers who process sensitive or special categories of personal data, those processing activities that relate to children and/or other vulnerable individuals, as well as those organisations that process extensive personal imaging or voice recording data, whether via CCTV recording or otherwise.
In any event, data controllers need to watch this space as failure to carry out a mandatory DPIA where required is one instance where the DPC may consider a higher fine is warranted where a breach has been found. Furthermore, any fine imposed as a result of such a breach may not be recoverable under any cyber, Director and Officer (D&O) or other data protection insurance policy held by the data controller on the basis that such a breach is likely to be deemed not to be insurable at law on the basis of the legal doctrine of Ex Turpi Causa Non Oritur Actio, which prohibits a claimant from pursuing civil remedies for damages or loss that occurs as a result of their own wrongful/illegal act, such as non-compliance with the GDPR.
In light of the serious consequences which could ensue as a result of a data controller’s failure to carry out a DPIA for a relevant data processing activity, we would recommend always seeking legal advice in advance of proceeding with such processing, particularly where you have a doubt or concern as to whether a DPIA may be required. Should you require any assistance in this area, please contact any member of the Data Protection and Cyber Risks unit.