28 October 2016, by Wojciech Wiewiórowski
Yesterday, the 40th meeting between the EDPS and the DPOs from the EU institutions and bodies took place at the European Union Intellectual Property Office (EUIPO) in Alicante. I congratulate EUIPO for hosting a very successful meeting, I truly valued the opportunity to interact with our data protection partners and reinforce our collaboration.
One significant change introduced by the General Data Protection Regulation (GDPR) are DPIAs. They embody a paradigm shift towards accountability in data protection law: organisations processing personal data (controllers) must be clear about what personal information they process, why they do so, how they do it, understand the risks to processing that data and take measures to mitigate those risks.
By discussing the implications and the practicalities of DPIAs now, we hope to provoke thinking and action in the EU institutions in preparation for their introduction. By inducing organisations to think about how they process personal information in a structured way, DPIAs are designed to help them to plan, organise and manage risks rather than be caught out by a data protection problem.
The GDPR provides an indicative list of when DPIAs should be carried out. The discussions between the DPOs, my staff and I centred around how to approach some of the more abstract notions listed in practice for instance, how are we to determine large scale? A single CCTV camera located at the entrance of a server room which is not publicly accessible could not be considered large-scale; but what about video surveillance of large, publicly accessible courtyards of EU institutions?
In terms of health data: the GDPR’s recital 91 explains that an individual physician should not have to conduct a DPIA for the processing of her patients’ medical records; However, can the medical service of one of the larger EU institutions be considered large-scale? Given that this is an indicative list, DPOs may consider that there are other processing operations that are high risk.
The GDPR also provides a broad overview of how to carry out a DPIA and what needs to be included. Our discussions about the what, how and why of a DPIA and the considerations of the risks to individuals and mitigating those risks led to questions about whether there ought to be one single methodology or template; should there be criteria for different methodologies from which each organisation can select those that best fits its needs?
A frequent source of confusion concerns DPIAs and organisational risk management and information security risk management. Where DPIAs assess the risks for people affected by the processing of their data, organisational risk management assesses the risks to the organisation and information security risk management assesses risks to the organisation’s information assets. While these three types of assessment are not necessarily the same, there are overlaps: you cannot have good data protection without good information security.
In all of our discussions at the DPO meeting, we also referred to the work already done by our colleagues in the national data protection authorities (DPAs). Many DPAs in the EU have created materials and methodologies on privacy impact assessments, which are essentially the ancestors of DPIAs. In addition to the work done by for instance, the CNIL in France, the ICO in the United Kingdom or the AGPD in Spain, there is also academic literature on the subject.
Is your toaster watching you?, Lunchtime conference on the Internet of Things, Speeches by Giovanni Buttarelli and Wojciech Wiewiórowski, Brussels, Belgium
6th Data Protection Forum with Mr Viljar PEEP, Director General, Estonian Data Protection Inspectorate, Participation of Giovanni Buttarelli and Wojciech Wiewiórowski, Brussels, Belgium
e-Privacy Breakfast Debate organised by EIF, Speech by Wojciech Wiewiórowski, European Parliament, Brussels, Belgium
e-Privacy Directive: Combining Modern Marketing & Privacy, Event organised by FEDMA, Speech by Wojciech Wiewiórowski, Brussels, Belgium
109th Plenary meeting of the Article 29 Working Party, Participation of Giovanni Buttarelli, Brussels, Belgium
Workshop on the current trends and practices in biobanking in the light of European and national data protection requirements? Participation of Wojciech Wiewiórowski, Brussels, Belgium
Giovanni Buttarelli speaking on GDPR in panel New rules and what to do next in the conference organised by Confindustria Il nuovo Regolamento europeo sulla protezione dei dati personali, Rome, Italy
Giovanni Buttarelli meeting with Bob Quinn, Senior Executive Vice President, AT&T, Brussels, Belgium