Beware of errors in personal data protection impact assessments
The Office for Personal Data Protection (OPDP) has published its annual report for the past year, drawing attention to the mistakes made by data controllers in the processing of data protection impact assessments (DPIAs).
A DPIA must be performed where the processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons. This must always be assessed considering the nature, scope, context, and purpose of the specific processing. E.g., this may involve large-scale automated evaluations of personal aspects relating to natural persons, large-scale processing of sensitive personal data, or large-scale systematic monitoring of publicly accessible premises.
The purpose of the DPIA is, inter alia, to assess the necessity of the processing, evaluate the risks involved, and plan measures to manage those risks, including security measures and mechanisms to ensure the protection of personal data.
According to the experience of the OPDP, the most frequent errors in the DPIA are as follows:
- A description of the means for the protection of data subjects’ rights is missing or insufficiently elaborated.
- The description of the technical and organisational measures adopted tends to be general and, moreover, it is unclear how the DPIA submitter arrived at them, e.g., the OPDP's methodology is not used, and the data controller's own methodology is not clear either.
- The problematic implementation of 'balancing tests' when the necessity, suitability and proportionality of the personal data processing cannot be verified.
In case of any uncertainties, data controllers are advised to contact an expert or to consult directly with the supervisory authority before starting the actual processing.