Assessing the impact of data protection
Recently, the 40th meeting between the EDPS and the DPOs from the EU institutions and bodies took place at the European Union Intellectual Property Office (EUIPO) in Alicante. I congratulate EUIPO for hosting a very successful meeting, I truly valued the opportunity to interact with our data protection partners and reinforce our collaboration.
Among the items on the agenda for discussion were Data Protection Impact Assessments (DPIAs), workshops on individuals’ right of access and restrictions to that right, as well as on two newly adopted EDPS guidelines on mobile devices and web services. There are a number of newly appointed DPOs so we also ran a much-appreciated workshop for them on the practical application of the principles of the current Data Protection Regulation that applies to the EU institutions and bodies.
One significant change introduced by the General Data Protection Regulation (GDPR) are DPIAs. They embody a paradigm shift towards accountability in data protection law: organisations processing personal data (controllers) must be clear about what personal information they process, why they do so, how they do it, understand the risks to processing that data and take measures to mitigate those risks.
DPIAs will be applicable to the private sector, public authorities in the Member States. While the EU institutions, bodies and agencies do not fall under the GDPR, the data protection rules that apply to them will be adapted to reflect the GDPR in the near future. I expect a Commission proposal to revise the rules for the EU institutions in early 2017 and we are sure the requirement of DPIAs for certain processing operations will be introduced as it is in Member States.
By discussing the implications and the practicalities of DPIAs now, we hope to provoke thinking and action in the EU institutions in preparation for their introduction. By inducing organisations to think about how they process personal information in a structured way, DPIAs are designed to help them to plan, organise and manage risks rather than be caught out by a data protection problem.
The GDPR provides an indicative list of when DPIAs should be carried out. The discussions between the DPOs, my staff and I centred around how to approach some of the more abstract notions listed in practice for instance, how are we to determine large scale? A single CCTV camera located at the entrance of a server room which is not publicly accessible could not be considered large-scale; but what about video surveillance of large, publicly accessible courtyards of EU institutions?
In terms of health data: the GDPR’s recital 91 explains that an individual physician should not have to conduct a DPIA for the processing of her patients’ medical records; However, can the medical service of one of the larger EU institutions be considered large-scale? Given that this is an indicative list, DPOs may consider that there are other processing operations that are high risk.
The GDPR also provides a broad overview of how to carry out a DPIA and what needs to be included. Our discussions about the what, how and why of a DPIA and the considerations of the risks to individuals and mitigating those risks led to questions about whether there ought to be one single methodology or template; should there be criteria for different methodologies from which each organisation can select those that best fits its needs?
A frequent source of confusion concerns DPIAs and organisational risk management and information security risk management. Where DPIAs assess the risks for people affected by the processing of their data, organisational risk management assesses the risks to the organisation and information security risk management assesses risks to the organisation’s information assets. While these three types of assessment are not necessarily the same, there are overlaps: you cannot have good data protection without good information security.
In all of our discussions at the DPO meeting, we also referred to the work already done by our colleagues in the national data protection authorities (DPAs). Many DPAs in the EU have created materials and methodologies on privacy impact assessments, which are essentially the ancestors of DPIAs. In addition to the work done by for instance, the CNIL in France, the ICO in the United Kingdom or the AGPD in Spain, there is also academic literature on the subject.
The EDPS will continue to work with our DPO partners to make sure that the EU institutions are ready when the new rules come into force. Until then, we will use their valuable feedback to provide more input to the Article 29 Working Party’s work on making the DPIA rules outlined in the GDPR work in practice.
Latest News from
Antitrust: Commission confirms inspection in the car sector in Germany23/10/2017 16:10:00
The EC can confirm that as of 16 October 2017 its officials carried out an unannounced inspection at the premises of a car manufacturer in Germany.
New action plan to foster development of advanced therapies23/10/2017 14:10:00
The EC's Directorate-General for Health and Food Safety and the EMA recently published a joint action plan to foster the development of advanced therapy medicinal products (ATMPs).
Unparalleled access to clinical data - one year on23/10/2017 12:47:00
Over 3,000 clinical documents published, 3,600 registered users and positive stakeholder feedback.
EU budget post 202021/10/2017 11:10:00
Stronger own resources should not mean a "tax for Europe" but a more transparent and efficient budget, regions and cities say