Following up on yesterday’s blog about profiling and automated decision making, we now look at guidance on data protection impact assessment (DPIA). The same guidance we discussed also directs companies to conduct a DPIA where profiling or automated decision making results in the “systematic and extensive evaluation” of an individual and decisions are made based on that evaluation that could have legal effects.
Additional guidelines released by the Working Party last month (here) provide more detail on DPIAs and when a DPIA is required. DPIAs are tools to manage risk and can be used by companies to demonstrate compliance with GDPR requirements. They are only required where the processing of personal data under the GDPR is “likely to result in a high risk to the rights and freedoms of natural persons.” The guidelines provide the following examples of processing that is likely to require a DPIA:
- A hospital information system processing patients’ health data
- A company that systematically monitors employees’ activities, including internet activity
- The gathering of public social media data for generating profiles
The guidelines remind companies to conduct a DPIA before the processing begins. And, that the DPIA is to include (1) a description of the processing and purpose of the processing, (2) an assessment of the necessity of the processing, (3) an assessment of the risks to the rights and freedoms of data subjects, and (4) measures envisioned to address risks and demonstrate compliance with the GDPR. Data processing can commence where the DPIA supports a lawful basis for processing under the GDPR.
Putting it Into Practice: Companies trying to assess whether they need a DPIA under GDPR should keep in mind the timing of the assessment. A close look at the type of processing being conducted is an important step.