On 6 July 2020, the European Data Protection Supervisor (EDPS) published a report on data protection impact assessments (DPIAs) under article 39 of the General Data Protection Regulation (GDPR).
As explained in the report, DPIAs are an important accountability tool and one of the most valuable sources to understand how the data processing landscape on the ground is changing. The report sets out guidance and lessons learnt on the process and substance of conducting a DPIA, which includes the following:
- Data protection needs to be flagged early on – and the focus needs to be maintained.
- Special caution needs to be exercised regarding the involvement of third parties, data processors or operators.
- The data controller or responsible party needs to be in the driving seat, requiring the allocation of appropriate resources and awareness-raising.
- Resources need to be dedicated to monitoring the implementation of the outcome of the DPIA.
- DPIAs should consider both data protection risks, as well as an information security risk assessment.
- Conducting a DPIA can be a lengthy process as it is sometimes difficult to obtain all the necessary information, especially if external processors are involved.
- A workflow can be a helpful tool where the procedure followed for the processing operation is not yet clear.
The report is accessible here.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].