As organizations scramble to implement alternative data transfer mechanisms and fill in their compliance gaps following the “Schrems II” decision, one important tool remains overlooked: the DPIA (data protection impact assessment).
Based on the text Article 35 of the EU General Data Protection Regulation and subsequent European Data Protection Board guidance, organizations have typically only conducted impact assessments for processing activities likely to result in a high risk.
Many companies, particularly smaller companies or those that are primarily data processors, don’t often conduct formal DPIAs because their activities don’t fall strictly within the specific EDPB guidance. In the instances when a DPIA is performed, it is almost always conducted by the data controller.
Based on the limited required scope and often misplaced concerns that conducting a DPIA might somehow open up an organization to additional liability (nothing requires an organization to formally report the results if the activities are not considered high risk or likely to cause harm to a data subject’s fundamental rights and freedoms), DPIAs are underused when it comes to building a data privacy program.
However, going forward, DPIAs should be considered beneficial to both controllers and processors for multiple reasons, including determining which alternative transfer mechanisms might be most viable, as well as establishing supplementary measures.
Also, in light of the recent decision, there is an argument that now any processing activity that involves a transfer outside of the European Economic Area could be classified as a “high risk activity” and may eventually become mandatory anyway.
There is no formal method to conducting a DPIA, which should give organizations comfort in delivering templates that work best for their needs as long as it meets the primary goal of demonstrating that you have thoroughly considered any risks (including legal, corporate, civil and reputational) and taken actions to mitigate those risks. Each risk should be mapped to a specific internal control that ensures mitigation techniques are well documented and understood across the organization. There should be separate assessments based on either categories of data or specific products or services. Organizations should also include who (preferably an individual, but can be a specific role) is responsible for either the specific control or for carrying out a plan to further mitigate the identified risk.
Core questions to consider are: Where is data coming from? What entity is sending the data? How is the data collected and on what legal basis? Are EU and U.S. personal data being commingled? Are you transferring data solely based on EU-U.S. Privacy Shield, or were you already using other mechanisms such as consent? Answering these questions should also provide confidence in answering questions you are inevitably getting from customers, users and vendors, and potentially data protection authorities.
The end result of a DPIA…
IAB Europe’s advertising bidding model uses personal data, EU court rules
After clarification from Luxembourg, the Belgian Court of Appeal will now rule on the case…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
