Recital - 91.
Necessity of a Data Protection Impact Assessment
Executive Summary
Have a PIA template available and if data processing will impact more that 5% of your data subjects, partners or employees, complete an assessment.
Recital Text
This should in particular apply to large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk to the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights. A data protection impact assessment should also be made where personal data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data or following the processing of special categories of personal data, biometric data, or data on criminal convictions and offences or related security measures. A data protection impact assessment is equally required for monitoring publicly accessible areas on a large scale, especially when using optic-electronic devices or for any other operations where the competent supervisory authority considers that the processing is likely to result in a high risk to the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a service or a contract, or because they are carried out systematically on a large scale. The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer. In such cases, a data protection impact assessment should not be mandatory.
Recital - 92.
Broader Data Protection Impact Assessment
Executive Summary
Have a PIA template available and if data processing will impact more that 5% of your data subjects, partners or employees, complete an assessment.
Recital Text
There are circumstances under which it may be reasonable and economical for the subject of a data protection impact assessment to be broader than a single project, for example where public authorities or bodies intend to establish a common application or processing platform or where several controllers plan to introduce a common application or processing environment across an industry sector or segment or for a widely used horizontal activity.
Recital - 93.
Data Protection Impact Assessment at Authorities
Executive Summary
Have a PIA template available and if data processing will impact more that 5% of your data subjects, partners or employees, complete an assessment. It is also possible that a governing body will carry out this assessment of your operations.
Recital Text
In the context of the adoption of the Member State law on which the performance of the tasks of the public authority or public body is based and which regulates the specific processing operation or set of operations in question, Member States may deem it necessary to carry out such assessment prior to the processing activities.
Recital - 94.
Consultation of the Supervisory Authority
Executive Summary
Have a PIA template available and if data processing will impact more that 5% of your data subjects, partners or employees, complete an assessment. Based on that assessment, implement technology solutions to mitigate risks.
Recital Text
Where a data protection impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation, the supervisory authority should be consulted prior to the start of processing activities. Such high risk is likely to result from certain types of processing and the extent and frequency of processing, which may result also in a realisation of damage or interference with the rights and freedoms of the natural person. The supervisory authority should respond to the request for consultation within a specified period. However, the absence of a reaction of the supervisory authority within that period should be without prejudice to any intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation, including the power to prohibit processing operations. As part of that consultation process, the outcome of a data protection impact assessment carried out with regard to the processing at issue may be submitted to the supervisory authority, in particular the measures envisaged to mitigate the risk to the rights and freedoms of natural persons.
Recital - 95.
Support by the Processor
Executive Summary
Have a PIA template available and if data processing will impact more that 5% of your data subjects, partners or employees, complete an assessment.
Recital Text
The processor should assist the controller, where necessary and upon request, in ensuring compliance with the obligations deriving from the carrying out of data protection impact assessments and from prior consultation of the supervisory authority.
Recital - 96.
Consultation of the Supervisory Authority in the Course of a Legislative Process
Executive Summary
Have a PIA template available and if data processing will impact more that 5% of your data subjects, partners or employees, complete an assessment. Work with the SA to ensure that Processing activities comply the GDPR.
Recital Text
A consultation of the supervisory authority should also take place in the course of the preparation of a legislative or regulatory measure which provides for the processing of personal data, in order to ensure compliance of the intended processing with this Regulation and in particular to mitigate the risk involved for the data subject.
Executive Summary
Policies and procedures should be put into place to determine if a DPIA is needed. This is usually done with an initial inventory of personal data, its type and sensitivity, how it used, and the associated business processes. Then a Privacy Impact Assessment is performed to determine the risks and possible mitigations. These procedures need to be performed before any new business process that utilizes personal data.
The DPO should review the information gathered above and determine if a DPIA is necessary. The DPIA must contain four essential aspects but additional supporting information can be included. The four aspects are the following:
- Systematic description of the processing operation and purpose
- Necessity and proportionality of the processing in relation to the purpose
- Risks of the rights of the data subjects
- Measures used to mitigate the risks
If it is determined that a high risk to data subjects rights exists even after mitigation the Supervisory Authority may be consulted.
Article ID: 402
Created: September 28, 2022
Last Updated: September 28, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/gdpr-data-protection-impact-assessment-dpia-process-402.html