The General Data Protection Regulation (GDPR) (applicable from 25 May 2018) will, in certain cases, oblige data controllers to carry out a data protection impact assessment (DPIA). There were some uncertainties under the GDPR as to when such DPIA is to be carried out and how. The Article 29 Working Party has recently published its guidelines to address these questions. The document is open for comments until 23 May 2017.

There is a requirement under the GDPR for data controllers to carry out a DPIA of the processing of personal data when such processing is likely to result in a high risk to the rights and freedoms of individuals. The aim of the assessment is to provide a description of the processing and the purposes of the processing, to assess the necessity and proportionality of the processing, to determine the risks that the processing entails for the rights and freedoms of individuals, and based on that, the DPIA has to summarize the measures that need to be taken to mitigate the risks.

The Article 29 Working Party clarifies that the GDPR does not require a DPIA to be carried out for every processing that may entail risks. Carrying out a DPIA is mandatory where the processing is likely to result in a high risk to the rights and freedoms of individuals and a DPIA is particularly relevant when a new data processing technology is being introduced. The Working Party provides ten criteria (see below) for determining whether processing is likely to result in a high risk. The Working Party considers that if a processing falls under at least two of the total ten criteria, a DPIA shall be carried out. However, individual circumstances may overwrite this rule of thumb and the Working Party recommends to perform a DPIA in case of uncertainty.

The ten criteria contain: 1. evaluation or scoring (including profiling or predicting from certain personal aspects); 2. automated decision-making with legal or similar significant effect; 3. systematic monitoring; 4. sensitive data, where the latter criterion does not only pertain to the so-called special categories of personal data but also to data that may increase the possible risks, such as location data, financial data, electronic communication data. Further criteria are: 5. data processed on a large scale; 6. datasets that have been matched or combined; 7. data concerning vulnerable data subjects (e.g. employees in relation to their employer, children, patients etc.); 8. innovative use of data or new technological or organisational solutions; 9. data transfers outside the EU; 10. and where the processing in itself prevents data subjects from exercising a right or using a service or a contract.

The Working Party’s guidelines clarify that data protection impact assessments will only have to be carried out for processing operations started after 25 May 2018 (the applicability of the GDPR). Nevertheless, the Working Party strongly recommends to carry out DPIAs for processing operations already underway prior to May 2018 and processing that was already subject to a DPIA should be reviewed where the risk may change.

The guidelines further clarify questions relating to the methodology for carrying out a DPIA and that the DPIA is to be carried out prior to the commencement of the processing, in line with the privacy by design and by default principles.

The DPIA is a useful tool for data controllers and has a key role in ensuring compliance with the GDPR. In line with the accountability principle of the GDPR, it is essential to document every step of a DIPA, including the decision whether or not to carry out a DPIA. The criteria and findings set out by the Working Party will help businesses in preparing for the GDPR and conducting DPIAs and will also help data protection authorities in setting out further requirements to DPIAs and forming the practice. Do you have an opinion about DPIAs or the guideline? The Article 29 Working Party welcomes comments until 23 May 2017.


For further information, please contact Ida Häggström, Paulina Rehbinder or Vencel Hodák.