|Printable version||E-mail this to a friend|
Assessing the impact of data protection
Recently, the 40th meeting between the EDPS and the DPOs from the EU institutions and bodies took place at the European Union Intellectual Property Office (EUIPO) in Alicante. I congratulate EUIPO for hosting a very successful meeting, I truly valued the opportunity to interact with our data protection partners and reinforce our collaboration.
Among the items on the agenda for discussion were Data Protection Impact Assessments (DPIAs), workshops on individuals’ right of access and restrictions to that right, as well as on two newly adopted EDPS guidelines on mobile devices and web services. There are a number of newly appointed DPOs so we also ran a much-appreciated workshop for them on the practical application of the principles of the current Data Protection Regulation that applies to the EU institutions and bodies.
One significant change introduced by the General Data Protection Regulation (GDPR) are DPIAs. They embody a paradigm shift towards accountability in data protection law: organisations processing personal data (controllers) must be clear about what personal information they process, why they do so, how they do it, understand the risks to processing that data and take measures to mitigate those risks.
DPIAs will be applicable to the private sector, public authorities in the Member States. While the EU institutions, bodies and agencies do not fall under the GDPR, the data protection rules that apply to them will be adapted to reflect the GDPR in the near future. I expect a Commission proposal to revise the rules for the EU institutions in early 2017 and we are sure the requirement of DPIAs for certain processing operations will be introduced as it is in Member States.
By discussing the implications and the practicalities of DPIAs now, we hope to provoke thinking and action in the EU institutions in preparation for their introduction. By inducing organisations to think about how they process personal information in a structured way, DPIAs are designed to help them to plan, organise and manage risks rather than be caught out by a data protection problem.
The GDPR provides an indicative list of when DPIAs should be carried out. The discussions between the DPOs, my staff and I centred around how to approach some of the more abstract notions listed in practice for instance, how are we to determine large scale? A single CCTV camera located at the entrance of a server room which is not publicly accessible could not be considered large-scale; but what about video surveillance of large, publicly accessible courtyards of EU institutions?
In terms of health data: the GDPR’s recital 91 explains that an individual physician should not have to conduct a DPIA for the processing of her patients’ medical records; However, can the medical service of one of the larger EU institutions be considered large-scale? Given that this is an indicative list, DPOs may consider that there are other processing operations that are high risk.
The GDPR also provides a broad overview of how to carry out a DPIA and what needs to be included. Our discussions about the what, how and why of a DPIA and the considerations of the risks to individuals and mitigating those risks led to questions about whether there ought to be one single methodology or template; should there be criteria for different methodologies from which each organisation can select those that best fits its needs?
A frequent source of confusion concerns DPIAs and organisational risk management and information security risk management. Where DPIAs assess the risks for people affected by the processing of their data, organisational risk management assesses the risks to the organisation and information security risk management assesses risks to the organisation’s information assets. While these three types of assessment are not necessarily the same, there are overlaps: you cannot have good data protection without good information security.
In all of our discussions at the DPO meeting, we also referred to the work already done by our colleagues in the national data protection authorities (DPAs). Many DPAs in the EU have created materials and methodologies on privacy impact assessments, which are essentially the ancestors of DPIAs. In addition to the work done by for instance, the CNIL in France, the ICO in the United Kingdom or the AGPD in Spain, there is also academic literature on the subject.
The EDPS will continue to work with our DPO partners to make sure that the EU institutions are ready when the new rules come into force. Until then, we will use their valuable feedback to provide more input to the Article 29 Working Party’s work on making the DPIA rules outlined in the GDPR work in practice.
Latest News from
Child-friendly justice: the child’s perspective22/02/2017 16:10:00
Children involved in court proceedings often feel scared, ignored, and ill-informed, as a new report from the European Union Agency for Fundamental Rights (FRA) shows. By asking children across different EU Member States about their experiences & views, this report shows how far we still have to go to make our justice systems child-friendly.
ESAs warn on money laundering &terrorist financing risks affecting the EU financial sector22/02/2017 14:25:00
The 3 European Supervisory Authorities (EBA, EIOPA and ESMA - ESAs) have published a Joint Opinion addressed to the EC on the risks of money laundering and terrorist financing affecting the EU's financial sector.
EC welcomes new rules to prevent tax avoidance through non-EU countries22/02/2017 13:10:00
The EC welcomes the agreement reached by ECOFIN on new rules to help prevent tax avoidance via non-EU countries, which will prohibit multinational companies from escaping corporate tax by exploiting differences between the tax systems of Member States and those of non-EU countries (so-called 'hybrid mismatches').
Council sets its priorities for the 2018 EU budget22/02/2017 11:48:00
The Council considers that the budget for 2018 should provide adequate resources to continue supporting the traditional & evolving priorities within the Union, namely the recovery of the European economy, to address humanitarian & security challenges both within & outside the EU borders and to honour commitments already made under the current and previous programming periods.