Bitkom comments on Art.29 Group draft Guidelines on Data Protection Impact Assessment
The General Data Protection Regulation introduces a new duty to carry out and document a data protection impact assessment (DPIA) for high risk situations. A DPIA should be based on an adequate risk assessment management.
Should a company come to the conclusion in its risk analysis that a specific data processing activity will result in “high risk” to the rights and freedoms of the data subject, a DPIA needs to be conducted, especially if extensive data is used for profiling, a large scale use of sensitive personal data is processed or systematic monitoring of public areas (Art. 35 GDPR).
In April 2017 Europe’s data protection authorities organized in the Article 29 Working Party (WP29), published draft guidelines on DPIA and determining whether processing is “likely to result in a high risk” and asked stakeholders to submit comments until 23th May 2017.
Bitkom welcomes that the WP29 leaves it open which risk management and DPIA procedures can be used (e.g. Standard Data Protection Model V.1.0 (Germany), AGPD (Spain), ICO (UK), CNIL (French) or international standards such as ICO/IEC DIS 29134) and gives a clear indication which criteria are sufficient to evaluate whether or not a DPIA, or a methodology to carry out a DPIA, is sufficiently comprehensive to comply with the GDPR.
However, the guidelines are missing to explain what exactly the “high risk for rights and freedoms of natural persons” are, nor does it consider the principle-based approach in the GDPR which determines the risk level based on the “likelihood” and “severity” for the “rights and freedoms of natural persons”.
Instead a rule of thumb (a very general tick-two-boxes approach) is introduced which tries to simplify the GDPR (which Bitkom generally welcomes) but also risks that especially SMEs will schematically use such list as one-size-fits-all approach.
Furthermore, Bitkom is very concerned that the broadness of the criteria in the list will lead to result, whereby e.g. global companies always have to carry out a DPIA. This would shift the paradigm whereas the GDPR provides for a DPIA only in exceptional cases.
This year’s Privacy Conference will also focus on methodologies for Risk Assessment and Data Protection Impact Assessment.