DPIAs according to WP 29 Designing for Privacy

DPIAs according to WP 29 Designing for Privacy Leonardo H. Iwaya CC-BY-4. 0

DPIAs according to WP 29 Clarifications on DPIA’s obligatoriness • A DPIA is only required when the processing “is likely to result in a high risk to the rights and freedoms of natural persons” (Art. 35(1)) • To ensure consistent interpretation of the circumstances in which a DPIA is mandatory • To provide a criteria on whether a DPIA is required WP 248 Guidelines on Data Protection Impact Assessment […] 2

DPIAs according to WP 29 The following criteria should be considered: 1. Evaluation or scoring 2. Automated decision-making with legal effect 3. Systematic monitoring 4. Sensitive data 5. Data processed on a large scale 6. Datasets matched or combined 7. Data concerning vulnerable data subjects 8. Innovative use (e. g. , new technology) 9. Data transfer across borders outside the EU 2 or + criteria apply Likely high risk (DPIA needed) 10. When the processing in itself “prevents […] from exercising a right or using a service […]” 3

DPIAs according to WP 29: Examples 4 Examples of processing Possible Relevant criteria A hospital processing its patients’ genetic and health data (hospital information system). • Sensitive data • Data concerning vulnerable data subjects The use of a camera system to monitor driving behavior on highways. The controller envisages to use an intelligent video analysis system to single out cars and automatically recognize license plates. • Systematic monitoring • Innovative use or applying technological or organisational solutions A company monitoring its employees’ activities, including the monitoring of the employees’ work station, internet activity, etc. • Systematic monitoring • Data concerning vulnerable data subjects The gathering of public social media profiles data to be used by private companies generating profiles for contact directories. • Evaluation or scoring • Data processed on a large scale An online magazine using a mailing list to send a generic daily digest to its subscribers. • (none) An e-commerce website displaying adverts for vintage car parts involving limited profiling based on past purchases behaviour on certain parts of its website. • Evaluation or scoring, but not systematic or extensive DPIA required? Yes Not necessarily

Examples of EU DPIA frameworks EU generic frameworks • DE: Standard Data Protection Model (2016) • ES: Guía para una Evaluación de Impacto en la Protección de Datos Personales (EIPD), AGPD (2014) • FR: Privacy Impact Assessment (PIA), CNIL (2015) • UK: Conducting privacy impact assessments code of practice, ICO (2014) EU sector-specific frameworks • PIA Framework for RFID Applications • DPIA Template for Smart Grid and Smart Metering systems Standards • ISO/IEC 2913430 5

Criteria for an acceptable DPIA Criteria for DPIA (30+ items, Annex 2) q a systematic description of the processing is provided q necessity and proportionality are assessed q risks to the rights and freedoms of data subjects are managed q interested parties are involved All in all. . . • WP 29 uses terms PIA and DPIA interchangebly • Previous work on PIA frameworks are the main references • How do you do a DPIA? Just do a PIA. 6

References • WP 248, 2017. Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679. (http: //ec. europa. eu/newsroom/document. cfm? doc_id=44137) Icons and Images Graphiqa Stock (https: //www. iconfinder. com/graphiqa ) Juliia Osadcha (https: //www. iconfinder. com/Juliia_Os ) Hopnguyen Mr (https: //www. iconfinder. com/Mr. hopnguyen ) 7