What does Privacy by Design mean?
Privacy by Design, introduced under the GDPR, requires organisations to embed security and compliance safeguards at every step of organisational processes.
In particular, this means considering safeguards at the beginning rather than the end of the development of new products, policies and procedures or the deployment of new IT systems or applications.
It aims to build in appropriate technical and organisational measures to ensure sufficient personal data protection during the whole life cycle. It also gives an opportunity to discover possible deficiencies and enables the rethinking of processes with the help of a Data Protection Impact Assessment (DPIA).
A DPIA provides evidence for why a specific decision affecting the processing of personal data was taken and can therefore be used to demonstrate that Privacy by Design was taken into consideration and that the accountability principle was preserved.
What is a DPIA?
In general, a DPIA helps to identify and minimise data protection risks of a product, system, technology or process. It aims to describe and analyse in detail the new planned data processing operations; assess the necessity and proportionality of chosen measures; identify and assess risks; and suggest actions to mitigate them. It also helps to predict whether the identified risks are likely to impact individuals and to what extent.
DPIAs are not intended to be focussed solely on compliance risks and should also consider other factors that can seriously undermine the rights and freedoms of individuals. For example, causing social or economic disadvantages or violating human rights. DPIAs can also be a valuable tool as part of a wider review of a project which takes account of financial and reputational benefits for an organisation.
DPIAs are expected to increasingly be used by organisations both for internal projects and for risk assessment of 3rd parties supplying new products or services. Organisations which make DPIAs available to individuals could also gain significant reputational benefits.
When are DPIAs required?
Not every data processing operation requires a DPIA and the general rule is that they are only needed when the potential risks to individuals are high.
As with the terms of other GDPR requirements, organisations should continuously use a risk-based approach to decide whether serious impacts on individuals are likely and whether it is essential to carry out a DPIA.
According to the GDPR, DPIAs must be carried out in three particular ‘high risk’ instances: (i) when an organisation plans to use systematic and extensive profiling or other automated decision-making processes with significant effects on individuals; (ii) when it processes special category or criminal offence data on a large scale; or (iii) when it carries out systematic monitoring of publicly accessible places on a large scale.
This is not a complete list and the Data Protection Authorities (“DPAs”) have powers to define other instances.
Although the GDPR aims to provide a more consistent approach towards the processing of personal data, the diversity of requirements to carry out DPIAs across European countries may be a challenge for multinational organisations and smaller entities which handle personal data of individuals located in multiple EU countries.
European Approach to DPIAs
The European Data Protection Board (“EDPB”) anticipated this problem and adopted guidelines on DPIA in October 2017. It has also taken a consistent approach on draft DPIA lists in 22 EU countries and recently released opinions on them.
In the guidelines, the EDPB lists nine criteria and suggests that when any two are relevant to the data processing, a DPIA is required. However, it may be that due to the sensitivity of personal data processed or the particularity of processing activities, one criteria may be enough to require a DPIA.
The nine criteria cover instances where:
- Evaluation or scoring, including profiling and predicting, is taking place;
- Automated decision making with legal or similar significant effect on individuals is carried out;
- Systematic monitoring is taking place;
- Sensitive data or data of a highly sensitive nature is processed
- Data is processed on a large scale;
- Matching or combining of datasets is taking place;
- Data concerning vulnerable individuals (e.g. children, employees) is processed;
- Innovative use or application of new technological or organisational solutions is taking place; and
- The outcome of processing prevents individuals exercising their rights or using a service or a contract.
In recent opinions, the EDPB emphasised the processing of biometrics and genetic data which it stressed requires a DPIA when at least one other of the nine criteria is relevant to the processing.
In the view of the EDPB, the same applies to employee monitoring, processing of location data and migration from one system to another. The EDPB has clarified that a DPIA is not necessary in case of joint-controllership, usage of multiple distributed IT systems and international data transfers. Most importantly, the EDPB believes that the scale of data processing must be defined on a case by case basis. As a result, specific numbers for the large-scale processing criteria were advised to be deleted in several national DPIA lists.
It is important to note that the requirements issued by the EDPB are only recommendations which can be accepted or rejected by EU DPAs. However, organisations processing data of individuals in various EU countries need to be aware of upcoming EU DPAs’ positions on national DPIA lists, as failure to ensure Privacy by Design and to carry out a DPIA when it is required may lead to fines of up to €10m or 2% of total worldwide annual turnover.