28 October 2016, by Wojciech Wiewiórowski
Yesterday, the 40th meeting between the EDPS and the DPOs from the EU institutions and bodies took place at the European Union Intellectual Property Office (EUIPO) in Alicante. I congratulate EUIPO for hosting a very successful meeting, I truly valued the opportunity to interact with our data protection partners and reinforce our collaboration.
One significant change introduced by the General Data Protection Regulation (GDPR) are DPIAs. They embody a paradigm shift towards accountability in data protection law: organisations processing personal data (controllers) must be clear about what personal information they process, why they do so, how they do it, understand the risks to processing that data and take measures to mitigate those risks.
By discussing the implications and the practicalities of DPIAs now, we hope to provoke thinking and action in the EU institutions in preparation for their introduction. By inducing organisations to think about how they process personal information in a structured way, DPIAs are designed to help them to plan, organise and manage risks rather than be caught out by a data protection problem.
The GDPR provides an indicative list of when DPIAs should be carried out. The discussions between the DPOs, my staff and I centred around how to approach some of the more abstract notions listed in practice for instance, how are we to determine large scale? A single CCTV camera located at the entrance of a server room which is not publicly accessible could not be considered large-scale; but what about video surveillance of large, publicly accessible courtyards of EU institutions?
In terms of health data: the GDPR’s recital 91 explains that an individual physician should not have to conduct a DPIA for the processing of her patients’ medical records; However, can the medical service of one of the larger EU institutions be considered large-scale? Given that this is an indicative list, DPOs may consider that there are other processing operations that are high risk.
The GDPR also provides a broad overview of how to carry out a DPIA and what needs to be included. Our discussions about the what, how and why of a DPIA and the considerations of the risks to individuals and mitigating those risks led to questions about whether there ought to be one single methodology or template; should there be criteria for different methodologies from which each organisation can select those that best fits its needs?
A frequent source of confusion concerns DPIAs and organisational risk management and information security risk management. Where DPIAs assess the risks for people affected by the processing of their data, organisational risk management assesses the risks to the organisation and information security risk management assesses risks to the organisation’s information assets. While these three types of assessment are not necessarily the same, there are overlaps: you cannot have good data protection without good information security.
In all of our discussions at the DPO meeting, we also referred to the work already done by our colleagues in the national data protection authorities (DPAs). Many DPAs in the EU have created materials and methodologies on privacy impact assessments, which are essentially the ancestors of DPIAs. In addition to the work done by for instance, the CNIL in France, the ICO in the United Kingdom or the AGPD in Spain, there is also academic literature on the subject.
60th anniversary of the Rome Treaties. Giovanni Buttarelli to participate in the meeting of the 27 EU heads of state and heads of European Union institutions in Rome, Italy.
2018 International Conference of Data Protection and Privacy Commissioners to be hosted in Brussels. Read the press statement.
Giovanni Buttarelli meeting with Greg Nojeim, Senior Counsel and Director, Freedom, Security and Technology Project, Center for Democracy & Technology (CDT), Brussels, Belgium
Giovanni Buttarelli meeting with Cornelia Ernst, MEP, Brussels, Belgium
Processing of personal data by the Union institutions, bodies, offices and agencies, Study group meeting, EESC, Participation of Giovanni Buttarelli, Brussels Belgium
60th anniversary of the Rome Treaties, Participation of Giovanni Buttarelli in the meeting of the 27 EU heads of state and heads of European Union institutions, Rome, Italy
Forum on International Privacy Law, Participation of Wojciech Wiewiórowski, Königstein, Germany
Participation of Giovanni Buttarelli in DAPIX, Brussels, Belgium
Concurrences Review, Law & Economics Workshop: Big Data, Speech by Giovanni Buttarelli, Brussels, Belgium
Regulating Privacy through Ethical Standards and Accountability Principles in the era of Big Data, Keynote speech of Wojciech Wiewiórowski: Towards a new digital ethics – data, dignity and technology: How to ensure accountability in personal data management?, Brussels, Belgium