The General Data Protection Regulation introduces a new duty to carry out and document a data protection impact assessment (DPIA) for high risk situations. A DPIA should be based on an adequate risk assessment management. Should a company come to the conclusion in its risk analysis that a specific data processing activity will result in “high risk” to the rights and freedoms of the data subject, a DPIA needs to be conducted, especially if extensive data is used for profiling, a large scale use of sensitive personal data is processed or systematic monitoring of public areas .
In April 2017 Europe’s data protection authorities organized in the Article 29 Working Party (WP29), published draft guidelines on DPIA and determining whether processing is “likely to result in a high risk” and asked stakeholders to submit comments until 23th May 2017.
Bitkom welcomes that the WP29 leaves it open which risk management and DPIA procedures can be used and gives a clear indication which criteria are sufficient to evaluate whether or not a DPIA, or a methodology to carry out a DPIA, is sufficiently comprehensive to comply with the GDPR. However, we are concerned that the draft opinion significantly risks shifting the paradigm: whereas the GDPR provides for a DPIA only in exceptional cases, data protection authorities appear to consider it more as necessary standard procedure.