Focal Point Blog

When is a DPIA Required under the GDPR?

Written by Focal Point Insights | Jul 24, 2018 2:00:00 PM

Under the GDPR, Data Protection Impact Assessments (DPIAs) replace Privacy Impact Assessments (PIAs) and require organizations to assess processing activities that are likely to put a data subject’s privacy at high risk. In order to determine when a DPIA is required and when it isn’t, it’s important to have a good understanding of what is considered “high risk.” High risk processing activities are typically those that involve sensitive data, systematic monitoring, vulnerable individuals, etc. Some examples of these processes include:

  • Systematic and extensive evaluations of personal data based on automated processing, including profiling, on which decisions are based that produce legal effects concerning the individual or that significantly affect the individual;
  • Large-scale processing of special categories of data referred to in Article 9(1) of the GDPR, or of personal data relating to criminal convictions and offenses referred to in Article 10;
  • A systematic monitoring of a publicly accessible area on a large scale.

While these examples serve as a helpful starting point, they are broad in nature, leaving lots of room for interpretation by EU Member States and organizations, making it challenging to understand how DPAs will enforce these. To address this challenge, Article 35 of the GDPR permits EU Member States to create blacklists, which list the processes that do require a DPIA, and whitelists, which list the processes that are exempt from a DPIA.

In this post, we’ll look at the Article 29 Working Party’s (WP29) blacklist and whitelist guidance, along with notable examples of blacklists and whitelists published by EU Member States. Then, download our quick guide to DPIA blacklists and whitelists for easy reference in the future.


Helpful DPIA Guidance from WP29

The WP29 (which was replaced by the European Data Protection Board (“EDPB”) on May 25, 2018) released guidance that elaborated on the GDPR’s requirements around what processes should be considered high risk and require a DPIA. This list includes:

  • Data Subject Evaluations: Information used to determine an individual’s work performance, financial situation, health, personal preference, behavior, location, etc.
  • Automated Decision Making: Automated decision-making processes that could affect a data subject from a legal standpoint or in ways that could significantly impact the individual, such as exclusion or discrimination.
  • Systematic Monitoring: Monitoring processes that may observe publicly accessible information.
  • Sensitive Data Processing: Activities that process sensitive data like political opinions, medical records, criminal convictions, etc.
  • Large-Scale Data Processing: Processing the personal information of a significant amount of the population, including the period of time the data covers and the geographical reach.
  • Processing for Vulnerable Data Subjects: Vulnerable data subjects include children, immigrants, the elderly, and patients.
  • New Technological Processing Methods: The use of new technologies to collect, process, and manage data, such as biometric tools.
  • Risk of Limitation: Processing activities that could limit or prevent a data subject from exercising their right or using a contract.

After reading this list, it’s easy to see why these processes are deemed high risk. If misused or compromised, the impact on data subjects could be catastrophic.

 

Notable EU Member State DPIA Blacklists and Whitelists

Each Data Protection Authority (DPA) within a Member State can develop their own DPIA blacklist and/or whitelist. Most of these use the high-risk processes included in the WP29’s guidance as a starting point for their blacklists, but they often get a little more specific. So far, Germany and Belgium have taken the lead in issuing DPIA blacklists, but it’s expected that more EU Member States will release their own categorization lists in the near future.

Germany's DPIA Blacklist

As we saw in our guides to EU Member States’ derogations and their requirements around de-identification, Germany has been at the forefront of GDPR legislation and has continued this trend when it comes to DPIA guidance. Germany has 16 state DPAs, which have jurisdiction over private companies, and one federal DPA. Nine of the 16 state DPAs have released binding DPIA blacklists, and the federal DPA has also released a blacklist. While these various blacklists align on most major points, they do diverge in a few areas. Companies doing business throughout Germany will need to examine each of these blacklists carefully to avoid the hefty fines associated with failing to complete a DPIA.

Belgium’s DPIA Blacklist and Whitelist

So far, Belgium is the only EU Member State to issue recommendations for a DPIA blacklist and whitelist. While these follow the WP29’s guidelines, they also provide some additional guidance. Belgium’s DPIA blacklist recommendation focuses heavily on activities that process sensitive data and involve data subject profiling. Meanwhile, its whitelist mainly includes processing activities that are based on legitimate interest or are needed to meet legal requirements. By providing both a blacklist and a whitelist, Belgium has made it much easier for companies to determine what processes require a DPIA, allowing companies to focus their time, professionals, and resources accordingly.

Austria’s DPIA Whitelist

Austria caused quite a stir when it became the first EU Member State to release a binding DPIA whitelist on May 25, 2018 (which just happened to also be the GDPR’s effective date). Austria’s whitelist includes 22 processing activities that do not require a DPIA and also provides DPIA exemptions for sole-practitioner businesses (like doctors, pharmacists, etc.), scientific research, and video and audio recording used for documentaries. Austria’s new whitelist is viewed by many as a possible template for future whitelists from other Member State DPAs.

While many EU Member States are still relying on the WP29’s guidance to help companies determine when they need to perform DPIAs, it is expected that many of them will release their own blacklists and whitelists in the near future. Navigating the GDPR’s requirements has been a significant challenge for many organizations, and Member State derogations and legislation have added another layer to compliance. However, DPIA blacklists and whitelists can be a significant help to organizations as they seek to stay aligned with the GDPR and develop an effective program for performing DPIAs.

To learn more about what is included in each state’s DPIA blacklists or whitelists, download our free guide.

Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This content is intended for informational purposes only.

 

Get more insights into the latest privacy news.

Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.