Data Protection Impact Assessment (DPIA): although identified in the past with slightly different names, the need for performing a preventive analysis concerning personal data processing risks to the rights and freedoms of natural persons is already   into the spotlight for specific business sectors, at least in the EU.

This is the case of RFID (Radio Frequency IDentification business), for which the WP29 issued several Opinions (Opinion 5/2010 and Opinion 9/2011) and the European Commission issued a specific recommendation (May 2009) on the implementation of privacy and data protection principles in applications supported by radiofrequency identification.

Another important DPIA already existent case is represented by Smart Grid and Smart Metering Systems (Energy sector) for which always the WP 29 issued a specific Opinion (Opinion 4/2013) on the Data Protection Impact Assessment Template for Smart Grid and Smart Metering Systems (‘DPIA Template’) prepared by Expert Group 2 of the Commission’s Smart Grid Task Force.

Now the GDPR provides for specific DPIA obligations for Controllers, regardless of the business specific sector: in other words GDPR Articles 35 and 36 require that all the Controllers subject to the EU GDPR (see also previous blog about GDPR & Territorial Scope) shall follow the DPIA procedure when necessary. Please note that the DPIA procedure involves the Prior Consultation of the Supervisory Authority (Article 36) if the assessment (Article 35) indicates that the processing would result in high risks in the absence of measures taken by the Controller for their mitigation.

Infringement of the  GDPR DPIA provisions is subject to administrative fines up to 10 000 000 Eur, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. Therefore, also in light of the severe GDPR sanction framework, it is essential for the Controller a proper implementation of the DPIA procedure, fulfilling the provisions of Articles 35 and 36.

The figure below gives an overview of the essential DPIA obligations brought by GDPR Article 35.

GDPR Article 35: DPIA essential obligations for Controllers

The 'DPIA start criteria' are reported in Article 35(1) :"Where a type of processing in particular using new technologies and taking into account the nature, scope, context and purpose of the processing is likely to result in a high risk to the rights and freedoms of natural persons".

The GDPR does not specify in clear the meaning of 'high risk' to the rights and freedoms of natural persons, in my understanding it clearly reflects the fact that high risk cannot be  an absolute entity: on the contrary it has a  unavoidably relative value depending on the context of the processing (purposes, data, processing operations, technical and operative environment, flow of data, number and type of data subjects, processors, third parties,...).

However it is quite clear that the Controller's responsibility for establishing whether data processing operations involve a risk or a high risk should be evaluated by the Controller on the basis on an objective assessment, with reference to the nature, scope, context and purpose of the processing, with the estimation, through a stable procedure, of the likelihood and severity of a risk. For this reasons it is important that the foreseen Privacy Code of Conducts (Article 40) and Privacy Certification schemes (Article 42) play a stabilization & clarification role by defining clear rules for the implementation of such crucial decision, valid in specific contexts or business sectors.

Important to note that according to Article 35(4) (a must for the Supervisory Authorities) and 35(5) (a possibility for the Supervisory Authorities),  it could be still room to jeopardize data protection rules at local EU Member State level, one of the main negative outcomes from the Privacy Directive 95/46/EC: we must strongly hope that it will be effective the Consistent Mechanism between the EU Supervisory Authorities (Article 63), specifically provided for ensuring real uniformity of rules on data protection in the EU. Specifically it is imperative to have common EU rules to be observed also in those cases that are not explicitly listed in 35 (3) but which are sources of possible attentions for DPIA involved risks, as for example: the case of cloud services in performing particular personal data processing, the case of data processing carried out by private companies with systems involving monitoring of workers or implementing procedures in support of whistleblowing routines, ...

Unfortunately the possible differences in local rules, arising from Article 35(10), do not appear  recoverable under the aforementioned Consistent Mechanism.

About the Prior Consultation? The Article 36 obligation for the Controller, consisting in  the Prior Consultation of the Supervisory Authority when the DPIA indicates that the processing would result in high risks in the absence of measures taken by the Controller for their mitigation, it is not a completely new requirement when comparing GDPR with the Privacy Directive 95/46/EC: in fact it appears a revisiting &  merge action on the Notification and Prior Checking obligations (respectively Article 18 and Article 20 of Directive 95/46/EC), although designed with rules aimed at circumscribing at EU common level the procedure and related timing by the Supervisory Authorities, however payed by the Controllers with a very impressive sanction level (up to 10 million eur...) in case of infringement of such obligation.