Impact assessment in the processing of personal data
The impact assessment is a fundamental mechanism to ensure that the processing of personal data is as secure as possible. Every organization faces a multitude of risks and uncertainties in the development of its activity, which must be properly managed so that the materialization of these risks and uncertainties does not cause damage.
The General Data Protection Regulation (hereinafter GDPR) itself makes numerous references to risk, but the most important of them is the mention in Article 24.1 which states that, depending on the nature, context, purposes of the processing and the various risks to the rights and freedoms of data subjects, the controller must agree on technical and organizational measures to be able to demonstrate compliance with the GDPR, and thus with the principle of proactive accountability.
It is precisely at this point where the concept of impact assessment becomes important because, although the GDPR does not impose the specific way to manage the risk, leaving the controller free to decide on the measures that best suit him/her, it does allude in Articles 35 and 36 to a series of requirements that must be taken into account when carrying out high-risk processing, and this is the unavoidable obligation to carry out an impact assessment. However, what do we mean when we talk about impact assessment?
What is an impact assessment?
“a process designed to describe the processing, assess its necessity and proportionality, which helps to manage the risks to the rights and freedoms of natural persons arising from the processing of personal data, identifying measures to address them”.
The main regulation on the impact assessment is found in articles 35 and 36 of the GDPR, with article 35 establishing that it must be carried out in those processing operations that pose a high risk to the rights and freedoms of individuals. On this point, the Article 29 Working Group establishes that the reference to these rights mainly encompasses the fundamental right to data protection and privacy, but also implies the safeguarding of other rights, such as freedom of expression, thought, movement, freedom of conscience and religion, etc. For this reason, an impact assessment is not always mandatory for all processing operations, but is only required when the processing to be carried out is likely to affect the aforementioned rights.
We have already seen in general terms what an impact assessment is and when it is mandatory, but we will now detail which types of treatment require it.
Data processing subject to impact assessment
As we have already explained, the analysis of the processing of personal data should only be carried out when it involves a high risk to the rights and freedoms of data subjects, either due to the use of new technologies, its nature or scope, context or purposes, etc.
In the first place, these characteristics are fulfilled by the cases contemplated in art. 35.3 of the RGPD, however, there are other situations where the performance of the impact assessment is mandatory, such as when it is required by a special rule; when in any of the guidelines of the European Data Protection Committee, a processing is identified as high risk or, when the processing is subject to a code of conduct or a certification mechanism that require the controller to carry out the assessment.
Likewise, art. 35.4 RGPD establishes the obligation for the competent supervisory authority to draw up and publish lists of the types of processing that may be considered high-risk. These lists are not closed and serve as a guideline for controllers, since the fact that a processing operation to be carried out meets two or more of the criteria on the list means that the impact assessment must necessarily be carried out, unless it is an exception to art. 35.5 RGPD.
These lists must contemplate the conditions for carrying out an EIPD listed in the WP248 Guidelines and, by way of example, some of the processing included in the list drawn up by the Spanish supervisory authority (Spanish Data Protection Agency) are, among others: processing involving the geolocation of the data subject, use of biometric data, use of genetic data, use of large-scale data, processing of data of children under 14 and of victims of gender-based violence, etc. For its part, the Information Commissioner´s Office (ICO), recommends organizations to ask a series of questions that will help them decide when an EIPD is necessary, in such a way that an affirmative answer will be a clear indicator that it is mandatory to carry out this assessment.
Some of the questions would be: Does the project involve the collection of new information about the individual; does the project require the collection of personal information from stakeholders; will the information be disclosed to organizations that have not previously had access to it; is the information collected particularly sensitive; and so forth.
To better understand in practice the benefits of performing a risk analysis, the National Commission on Computers and Liberties (CNIL), gives the example of a case where a new application launched on the market, collects user data, allowing access to the geolocation of users, and then the servers are hacked by a criminal organization that uses this data to find out where each user lives and when the houses are free to steal. This problem would not have happened if an impact assessment had been carried out before launching the application on the market, since the possible risks, their seriousness and the support measures to avoid such problematic situations would have been analyzed.
We have seen the cases where an impact assessment is mandatory, but when is an impact assessment not required?
According to the OWG29, there are several scenarios where this assessment need not be carried out, such as, for example:
- Where there is no apparent risk to the rights and freedoms of data subjects.
- Where a processing operation of a similar nature and purpose to another processing operation for which an impact assessment has already been carried out is to be carried out.
- Where the processing operation is not included in the list established by the supervisory authority because it is an exception, according to Art. 35.5 RGPD.
- Where the processing operation, pursuant to Art. 35.10, has a legal basis in Union law or Member State law for which an impact assessment on the adoption of that legal basis has already been carried out.
- Where the processing activities have been verified by the supervisory authority before May 2018.
In any case, it should be noted that the impact assessment is not a static process that is performed only once on a single treatment, but should be reviewed and monitored periodically because the risk scenarios are constantly changing and it may be necessary to implement new measures for treatments that have already been analyzed previously.
Recommendations for conducting an impact assessment
There is no specific methodology and guidelines on how to carry out the impact assessment, but carrying it out incorrectly or incompletely can lead to heavy financial penalties, so it will be necessary to pay attention to the content of Article 35.7 and Recital 84 and 90 of the GDPR, which specify the minimum content of any assessment. It is also helpful to refer again to the WP248 Guidelines, which establish the criteria for an acceptable PIA, always taking into account the aforementioned regulation.
First, a detailed description of the processing must be made, taking into account the nature, scope, context and purposes of the processing; registration of personal data, recipients and retention period; functional description of the processing operation; identification of the media containing such data and compliance with the approved codes of conduct.
Next, the necessity and proportionality of the processing must be assessed, taking into account, among other things: the lawfulness of the processing, the purposes determined, the measures that contribute to the data subjects’ ability to exercise their rights, the guarantees of international transfers (if any) or the prior consultation provided for in art. 36 RGPD.
The next step would be to focus on the risks to the rights and freedoms of data subjects and their management; taking into account the nature of the risks and their impact on the rights and freedoms; estimating the likelihood and severity and determining the measures envisaged to address them. According to the ICO, there are several measures that organizations can take to reduce risk and make processing more secure, such as: deciding not to store certain types of information, establishing retention periods that only keep information for as long as necessary and then plan for secure destruction, ensuring that staff are properly trained and aware of the risks, developing ways to securely anonymize information, simplifying the response to data subject access requests, implementing appropriate technological security measures, and so on.
Finally, stakeholders should be involved, seeking the advice of the Data Protection Officer, if any, and the opinions of data subjects or their representatives.
After performing the impact assessment, which is in fact, a real risk assessment, the responsible must take the necessary measures and controls to mitigate the risks identified in the assessment and achieve an acceptable and tolerable residual risk level, however, if this is not possible, it will be necessary to resort to the prior consultation of art. 36 RPGD, and communicate to the supervisory authority the high-risk situation entailed by the processing even after having carried out the impact assessment, so that it may decide, within a period of 8 weeks, what it deems appropriate, and may even impose limitations to the processing, including its prohibition.
As we have seen, the impact assessment is a process that every data controller should take into account when processing more sensitive data, since the result of the analysis will provide relevant information on what risks must be mitigated or eliminated before carrying out the specific processing, so that the probability of being sanctioned is greatly reduced, having complied with the principle of proactive responsibility and having been diligent with the protection of personal data of data subjects.