|Printable version||E-mail this to a friend|
Assessing the impact of data protection
Recently, the 40th meeting between the EDPS and the DPOs from the EU institutions and bodies took place at the European Union Intellectual Property Office (EUIPO) in Alicante. I congratulate EUIPO for hosting a very successful meeting, I truly valued the opportunity to interact with our data protection partners and reinforce our collaboration.
Among the items on the agenda for discussion were Data Protection Impact Assessments (DPIAs), workshops on individuals’ right of access and restrictions to that right, as well as on two newly adopted EDPS guidelines on mobile devices and web services. There are a number of newly appointed DPOs so we also ran a much-appreciated workshop for them on the practical application of the principles of the current Data Protection Regulation that applies to the EU institutions and bodies.
One significant change introduced by the General Data Protection Regulation (GDPR) are DPIAs. They embody a paradigm shift towards accountability in data protection law: organisations processing personal data (controllers) must be clear about what personal information they process, why they do so, how they do it, understand the risks to processing that data and take measures to mitigate those risks.
DPIAs will be applicable to the private sector, public authorities in the Member States. While the EU institutions, bodies and agencies do not fall under the GDPR, the data protection rules that apply to them will be adapted to reflect the GDPR in the near future. I expect a Commission proposal to revise the rules for the EU institutions in early 2017 and we are sure the requirement of DPIAs for certain processing operations will be introduced as it is in Member States.
By discussing the implications and the practicalities of DPIAs now, we hope to provoke thinking and action in the EU institutions in preparation for their introduction. By inducing organisations to think about how they process personal information in a structured way, DPIAs are designed to help them to plan, organise and manage risks rather than be caught out by a data protection problem.
The GDPR provides an indicative list of when DPIAs should be carried out. The discussions between the DPOs, my staff and I centred around how to approach some of the more abstract notions listed in practice for instance, how are we to determine large scale? A single CCTV camera located at the entrance of a server room which is not publicly accessible could not be considered large-scale; but what about video surveillance of large, publicly accessible courtyards of EU institutions?
In terms of health data: the GDPR’s recital 91 explains that an individual physician should not have to conduct a DPIA for the processing of her patients’ medical records; However, can the medical service of one of the larger EU institutions be considered large-scale? Given that this is an indicative list, DPOs may consider that there are other processing operations that are high risk.
The GDPR also provides a broad overview of how to carry out a DPIA and what needs to be included. Our discussions about the what, how and why of a DPIA and the considerations of the risks to individuals and mitigating those risks led to questions about whether there ought to be one single methodology or template; should there be criteria for different methodologies from which each organisation can select those that best fits its needs?
A frequent source of confusion concerns DPIAs and organisational risk management and information security risk management. Where DPIAs assess the risks for people affected by the processing of their data, organisational risk management assesses the risks to the organisation and information security risk management assesses risks to the organisation’s information assets. While these three types of assessment are not necessarily the same, there are overlaps: you cannot have good data protection without good information security.
In all of our discussions at the DPO meeting, we also referred to the work already done by our colleagues in the national data protection authorities (DPAs). Many DPAs in the EU have created materials and methodologies on privacy impact assessments, which are essentially the ancestors of DPIAs. In addition to the work done by for instance, the CNIL in France, the ICO in the United Kingdom or the AGPD in Spain, there is also academic literature on the subject.
The EDPS will continue to work with our DPO partners to make sure that the EU institutions are ready when the new rules come into force. Until then, we will use their valuable feedback to provide more input to the Article 29 Working Party’s work on making the DPIA rules outlined in the GDPR work in practice.
Latest News from
European Interoperability Framework: EC presents new guidance for digital public services24/03/2017 15:25:00
The EC has published a new European Interoperability Framework which will help European public administrations to coordinate their digitisation efforts when delivering public services.
Consumer Financial Services Action Plan: Better products and more choice for European consumers24/03/2017 14:25:00
The EC has presented an Action Plan that sets out ways to provide European consumers with greater choice and better access to financial services across the EU.
ESMA publishes two sets of guidelines under CSDR24/03/2017 13:25:00
The European Securities and Markets Authority (ESMA) has issued final reports on two sets of guidelines regarding the implementation of the Central Securities Depositary Regulation (CSDR). The CSDR harmonises the settlement of securities by providing a set of common requirements for central securities depositories (CSDs) operating securities settlement systems.
EU Digital Market : consumer protection must be top priority24/03/2017 12:25:00
EESC Consumer Day in Malta revealed the need for better regulation.
60th anniversary of the Treaty of Rome24/03/2017 11:25:00
Parliament’s President Antonio Tajani, political group leaders and other leading MEPs will meet with Italy’s highest public officials, starting with President Sergio Mattarella on Friday, and take part in the celebration of the 60th anniversary of the Treaty of Rome on Saturday.