(Republished from Οικονομικό Ταχυδρόμο)
Ioannis Psarakis, Lecturer, LL.M (III), PhD Cand.
Although references to issues related to the General Data Protection Regulation 2016/679 EU (GDPR) have now flooded our daily lives, a brief search on the internet reveals that the Data Protection Impact Assessment (DPIA) seems not to have received in our country the attention it deserves in its (great) importance.
- What is an Impact Assessment?
The preparation of an Impact Assessment Study is often an absolutely necessary pre-processing step for the processing of personal data. Attempting to accompany it with a title, in simple terms, it is the report of a form of 'self-assessment' of the entity that is to carry out a processing operation before it carries out the processing operation (e.g. before CCTV installation and video and audio recording).
- What gave rise to the 'birth' of DPIA - is it useful?
It is a requirement which was not foreseen in the previous regulatory framework. The paradigm shift brought about by the Impact Assessment Study is largely summarised in the following finding (which we also identify in para 89 of the preamble to the GDPR): whereas under the previous regime there was a general obligation to notify the competent supervisory authorities of the processing of personal data, this obligation has now been deemed appropriate to be replaced by effective procedures and mechanisms that focus on those types of processing operations that are likely to result in high This development - i.e. the abandonment of the prior notification regime to supervisory authorities - was substantially contributed to by the observation that the practice followed until then did not in all cases contribute to improving the protection of personal data.
This approach - for several reasons - is distinguished by its cost-effectiveness. Let us consider the workload of the Hellenic Data Protection Authority (HPA) when, even before an incident of personal data breach occurred, it was burdened with case files that merely involved notification of processing. Now, this burden is shifted to the person who "derives an interest" from the processing. The lightening of the Authority's workload is obvious.
But the DPIA also benefits the person for whom it is drafted. In particular, as is very often observed in practice, during the process of drafting a DPIA (and precisely because of the thorough examination carried out at the outset and on paper), security gaps and issues are identified which, in the event of an audit, would be the cause not only of sanctions but also of a series of negative consequences for the company (corporate profile - the consequences have been highlighted by a number of international publications in the field of marketing science). The DPIA is a catch-all that ultimately leads to self-control and verification.
- What is the minimum content of a DPIA?
A DPIA includes as detailed and systematic a description as possible of the envisaged processing operations, the purposes of the processing (i.e. the processing) and, where applicable, the legitimate interest pursued by the controller (e.g. the company taking the decision to install a CCTV system on its premises to prevent vandalism and criminal acts in general).
An assessment of the necessity and proportionality of the intended processing operation is also provided. To explain this in simple terms, the DPIA attempts to bring together the reasons why any processing operation that is to take place (e.g. image capture by uploading data to the cloud) is a solution not only capable of serving the purposes for which it is intended to be adopted (a common example of a purpose invoked by Data Controllers is the prevention of criminal acts e.g. The most common example of such a measure is the prevention of crime (e.g. in a factory site) but also the least intrusive, compared to others equally appropriate, to the rights of the subjects (i.e. the people being recorded).
For example, a DPIA would put forward reasons why a measure such as the installation of an alarm, although indeed less invasive of rights, would not ensure the security of the premises.
It has already been stressed that a central aspect in the whole process is respect for the rights of the subjects. A DPIA must therefore logically include an assessment of the risks to their rights and freedoms. This (i.e. the risk assessment) is accompanied by assessments along the axes of severity and likelihood of the risk arising (taking into account the nature, scope, context and purposes of the processing and the sources of the risk). A DPIA shall also describe the measures, safeguards and mechanisms envisaged to mitigate the identified risk.
By means of all of the above, the key aim of a DPIA is not only to ensure the protection of personal data but also to demonstrate compliance with the GDPR. And because this is an exercise whose effects may vary at any time (e.g. use of new processing tools, generation of new risks, proliferation of new ways of improper access to networks), Data Controllers must continuously assess the (new) risks arising from processing activities in order to ascertain
- In which cases is it mandatory?
By means of a general definition - which is also adopted by the GDPR itself - the obligation to draft a DPIA exists in those cases where "processing operations are likely to result in a high risk to the rights and freedoms of natural persons". This may be for a number of reasons, such as, for example, due to the use of new technologies in the processing, after, of course, taking into account the data being processed and the purpose for which it (i.e. the processing) is intended to take place.
The truth is that there are few cases in which we could confidently take a position for or against the need to carry out DPIAs in the context of specific processing operations and in a specific real-life context. This is because the definition is (rightly) quite general. As 'safe harbours' we can only characterise the cases mentioned in the Article 29 Working Party document (an independent European working group that has dealt with issues related to the protection of privacy and personal data, whose Directives have a strong guidance value), i.e. basically simple and minimally intrusive operations.
According to also Recital 91 of the GDPR, an operation that does not require a DPIA is for example the collection on file of email addresses by a controller for the purpose of sending newsletters or the processing of personal data of patients or clients of a private medical practitioner, other health professional or lawyer.
In contrast, there are many instances where we are treading in a grey area where a judgement as to whether the Data Controller is obliged to prepare a DPIA or whether this is simply left to its discretion cannot be made with certainty. The interesting practical (and financial) part here is that if it is subsequently (e.g. following a possible audit by the DPIA) decided that a DPIA was required but one has not been carried out, the fines can be high.
Reference is of course often made to 2% or 4% of the company's turnover. Indeed the fines can go up to there, these percentages are a "ceiling". In other words, such fines are envisaged to be imposed only in cases of 'school examples' of bad practice and lack of cooperation with the Authority and so on. Having said that, of course, fines at a level lower than the maximum are still a potentially very serious problem for the undertaking concerned, to the point where it could upset its financial planning.
Around the end of November 2020, the French authority (CNIL) imposed fines totalling €3,000,000 on two companies in the Carrefour group for breaching several provisions of the GDPR.
Failure to carry out a DPIA on processing subject to a requirement to carry out such a DPIA, or even carrying out a DPIA in an incorrect manner, can result in an administrative fine of up to €10,000,000 or, in the case of a company, up to 2% of the total worldwide annual turnover of the previous financial year, whichever is higher.
- Is there guidance for a more predictable and secure judgement on whether a DPIA is required in my case?
As a "rule of thumb", the families of criteria to consider when deciding whether a DPIA is required are grouped into the following three categories:
- Category 1: based on the types and purposes of processing.
- Category 2: based on the type of data and/or categories of data subjects.
- 3rd category: based on the additional characteristics and/or the means of processing used.
An explanation of the criteria is provided here (https://www.dpa.gr/sites/default/files/2019-09/65_2018anonym.pdf) - worth reading.
However, even with this guidance, classification in any particular case is an undertaking whose outcome we will often justifiably have reservations about. There are very likely to be borderline cases where the position of the Data Controller or even the DPO (Data Protection Officer) will not "meet" the Authority's judgment.
Some further guidance again cannot lend absolute certainty to the whole exercise. According to this, a DPIA is necessary where the intended processing involves systematic processing on which decisions are based that produce legitimate effects concerning or significantly affect the natural person. The same applies to the systematic monitoring of publicly accessible areas on a large scale and when the processing involves large-scale processing of special categories of data.
Practical examples where according to relevant Guidelines a prior DPIA is required are the following:
- A company that systematically monitors the activities of its employees, as well as their workstation, their internet activity and so on.
- A hospital that processes the genetic and health data of its patients.
- Collection of public data on social media for profiling.
- Storage for archival purposes of pseudonymised sensitive personal data concerning vulnerable data subjects in research projects or clinical trials.
In conclusion, we should add the following: to provide a more coherent set of processing operations requiring DPIA, each national authority issues a list which is, however, indicative. As the DPA itself states in its decision, the obligation to carry out a DPIA is neither lifted nor altered in every case of processing which "is likely to present a high risk to the rights and freedoms of natural persons". Therefore, the problem of the 'general definition' remains. Moreover, the rapid and continuous advancement of technology would certainly encourage any reference to specific acts, even taking into account the possibility of updating this list.
- Regardless of the mandatory nature, is it useful for my business to prepare a DPIA?
The preparation of a DPIA is ultimately in the interest of the business for two main reasons:
1. As we have observed (and perhaps if we exclude only simple processing cases) one will hardly be able to conclude with certainty that a particular processing operation does not require a DPIA to be carried out. Indeed, only for de minimis intrusive operations will we be able to confidently make a negative judgment (see the example of an e-journal that uses a list of email addresses to send general daily summaries to its subscribers). The result of this murky landscape is the possibility of a constant risk of a fine being imposed by the CPVO and beyond (see both civil and criminal liability).
Moreover, where, in the case of a processing operation, the nature, scope, context and purposes of the processing operation have many similarities with a processing operation for which a DPIA has already been carried out, the latter may also cover those 'similar' processing operations. In other words, with a DPIA, the controller can achieve compliance with more than one processing operation of 'controversial intensity'.
Besides, it is not at all excluded that a DPIA - even if not required - may be positively assessed by the competent authority in case of any personal data breach and thus have an influence on the calculation of any fine to be imposed.
2. But perhaps more important is the following observation, which also follows from the Act and which we have already alluded to: in the context of drafting a DPIA, a 'simulation' of the operations that will follow takes place; the comprehensive and thorough analysis of the processing process, the measures already decided to be taken, the risks and the justification in general beforehand often allows us to identify and correct security gaps and inconsistencies with the current regime, at no cost. But the cost will not be zero if these gaps are perceived following an audit by the Authority.