The Data Protection Supervisory Authorities (DPAs) of 22 Member States of the European Union (EU), recently submitted draft lists to the European Data Protection Board (EDPB). These lists identified data processing activities likely to result in a high risk to the rights and freedoms of individuals and hence require a pre-emptive Data Protection Impact Assessment (DPIA). The EDPB subsequently issued opinions on each of these lists, pursuant to its responsibilities under Article 64(1) of Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR).
This assessment of the draft lists is intended to create a harmonised approach and promote consistency in processing that can affect the free flow of personal data of natural persons across the EU. The EDPB requested that the DPAs include certain types of processing in their lists, remove other types that the EDPB did not consider as creating high risks for data subjects, and use some criteria in a harmonised manner. Nevertheless, the EDPB explained that each DPA has a margin of discretion with regard to the national or regional context and should take into account their local legislation.
This article discusses the Irish DPA’s (Data Protection Commission – DPC) response to the EDPB opinions via the issuance of their final guidance on mandatory DPIAs. From the discussion that follows it is clear that there will be instances when a DPIA is necessitated. We will make a similar analysis of the UK DPA’s response to the EDPB once it is issued.
The Irish Perspective on Mandatory DPIAs
In accordance with Article 35(4) GDPR, the DPC’s guidance states that a DPIA will be necessary for the following types of processing operations, where a documented screening or preliminary risk assessment indicates that the processing operation is likely to result in a high risk to the rights and freedoms of individuals:
- Profiling vulnerable persons including children to target marketing or online services at such persons (e.g.using the posts of a child’s social media feed to target content at them);
- Use of profiling or special categories of personal data as an element to determine access to services or that results in legal or effects (e.g. using social media posts to determine the creditworthiness of individuals);
- Systematically monitoring, tracking or observing individuals’ location or behaviour (e.g. using CCTV to monitor who is entering your home);
- Profiling individuals on a large scale (using CCTV to track who is entering a shop premises);
- Processing biometric data to uniquely identify an individual or individuals or enable or allow the identification or authentication of an individual (e.g. using fingerprint technology to determine who can access social welfare benefits).
For organisations whose lead DPA is the DPC, it is imperative that they familiarise themselves with their guidance. This will help to ensure that they are compliant with respect to undertaking DPIAs.
Our revised DPIA threshold analysis takes each of these potential types of processing operations into account to ensure you remain compliant with local requirements. In addition, our DPIA training and templates can assist organisations to better understand the mechanics of DPIAs and the information they should include.
