The importance of Impact Analysis (PIA or AIPD or DPIA)

Excerpt from Bruno DUMAY's book: GDPR DECRYPTION – For Managers, Strategic Departments and employees of companies and organizations – Preface by Gaëlle MONTEILLER

It is possible that the "data protection impact assessment" (DPIA) will become the symbol of the GDPR (in English, we speak of DPIA, Data Protection Impact Assessment, or, for short, PIA, Privacy Impact Assessment). In any case, it is the tool chosen to hold companies accountable and prevent them from acting to the detriment of consumer citizens. By requiring prior work before any data processing operation, and, where appropriate, consultation with the supervisory authority, it offers a serious guarantee of respect for privacy. 

An impact assessment is required before processing "when a type of processing, in particular through the use of new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk for the rights and freedoms of natural persons" (art. 35-1). It is specified that an analysis may relate to several similar processing operations that present the same type of high risks. It can be deduced from these provisions that if there is no "high risk" and/or if an analysis has already been carried out for similar operations, the analysis is not mandatory (similarly when the processing is linked to a mission of public interest, exception already noted).

The concept of "high risk" is not expressly defined, but the CNIL specifies that of "risk to privacy." This is "a scenario describing: a feared event (unauthorized access, unwanted modification or disappearance of data, and its potential impacts on the rights and freedoms of individuals); all the threats that would allow it to occur. It is estimated in terms of severity and likelihood. The severity must be assessed for the individuals concerned, not for the organization." This is sufficiently vague and broad to consider that the risk to privacy, therefore high, corresponds to many processing operations.

Article 35-4 provides that the supervisory authority will publish a list of operations for which an analysis is required. In the meantime, the G29 has combined various points of the GDPR to arrive at a list of 9 criteria (guidelines of April 4, 2017, amended on October 4, 2017), which may suggest that a processing operation is likely to generate a high risk:

– “assessment or rating, including profiling or prediction activities, relating in particular to “aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, or location and movements” (recitals 71 and 91)”;

– “automated decision-making with legal or similarly significant effect”;

– “systematic monitoring”;

– “sensitive data or data of a highly personal nature.” This may include information concerning political opinions, criminal convictions, medical records, but also, says the G29, emails, diaries, notes. If data of this type has been made public by the person concerned, this will be taken into account;

– “data processed on a large scale”. The concept of large scale is not specified, but the WG29 recommends taking into account the number of people concerned, the volume of data, the duration and the geographical scope of the processing;

– “crossing or combining data sets”;

– “data concerning vulnerable persons (recital 75)”, i.e. children, employees, persons suffering from mental illness, asylum seekers, elderly persons, patients, etc.;

– “innovative use or application of new technological or organizational solutions”. The G29 cites in particular the combined use of fingerprint recognition and facial recognition, or the Internet of Things;

– processing that “prevents data subjects from exercising a right or benefiting from a service or contract”. The G29 gives the example of a bank that would screen its customers against a credit rating database before making its lending decisions.

The G29 considers that processing corresponding to two of these nine criteria requires a DPIA (even if a single criterion may suffice). The CNIL provides an example: "a company sets up monitoring of the activity of its employees, this processing meets the criterion of systematic monitoring and that of data concerning vulnerable people, therefore the implementation of a DPIA will be necessary."

The analysis must at least contain: a description of the operations envisaged as well as the purposes of the processing, an indication of the proportionality of the former in relation to the latter, an assessment of the risks to the rights and freedoms of the persons concerned, the measures envisaged to address the risks. The CNIL bases the impact analysis on two pillars: a more legal assessment concerning the “non-negotiable” principles, and a more technical study on the measures envisaged to protect the data. It suggests in its DPIA guides (currently under revision) to apply the GDPR plan (indicated at the beginning of this paragraph); when they are updated, they will undoubtedly be useful tools for all those who need to prepare such a document.

The question arises as to whether an impact assessment is necessary for processing operations already implemented as of May 25, 2018. The GDPR does not answer this question, but the CNIL does. "An impact assessment will not be required for: processing operations that have been the subject of a prior formality with the CNIL before May 25, 2018; processing operations that have been recorded in the register of a "data protection and freedoms" correspondent." After 3 years, however, processing operations regularly implemented will have to be subject to an impact assessment, always in the event of a "high risk" for the data subjects.  

At the bottom of these guidelines, the CNIL adds the following sentence: "The implementation of a DPIA constitutes, in all cases, a good practice facilitating the process of compliance with the substantive conditions provided for by the GDPR." Since the CNIL is the supervisory authority in France, this advice should not be overlooked in terms of good practice. Especially since the G29 states: "In case of doubt as to the need to carry out a DPIA, to the extent that DPIAs are an important tool for data controllers to comply with data protection legislation, the G29 recommends carrying one out regardless." The European working group finally adds that the DPIA is mandatory when "the associated risks have evolved."

Likewise, its indications regarding the professionals who must participate in carrying out the impact analysis are not useless: the data controller (who is responsible), the subcontractor if there is one, the data protection officer (we will see who he is), the project owners and project managers, the information systems security manager, as well as, possibly, the persons concerned, who can be consulted for their opinion by means of a questionnaire.

It is Article 35-7 of the GDPR which defines the minimum content of an impact analysis:

– a systematic description of the operations envisaged and the purposes of the processing;

– an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

– an assessment of the risks to the rights and freedoms of the persons concerned;

– the measures envisaged to address the risks and provide proof of compliance with the regulations.

The G29 provides examples of methodology in an appendix to its analysis of the AIPD. The CNIL has just published guides with a method and a catalog of best practices, as well as open-source PIA software. There are therefore no longer any excuses for not complying with the new obligations.

Once the impact assessment is completed, either processing can begin or the controller must consult the supervisory authority “prior to processing where a data protection impact assessment carried out under Article 35 indicates that the processing would present a high risk if the controller did not take measures to mitigate the risk” (Art. 36-1). Paragraph 2 of the same article stipulates that, in the case of such prior consultation, the supervisory authority has 8 weeks (+6 in cases of complexity) to give its opinion.

The impact assessment may be published, with the aim of strengthening confidence in the company, but this is not an obligation.

Failure to carry out an impact assessment or an incorrectly conducted assessment can result in a fine of up to €10 million or, for a company, €2.1 billion of its worldwide turnover, whichever is higher.