On 4.4.2017 the WP has adopted the “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679” the question is why, for whom and for what. The answer is inside the document and is not a secondary matter because if we don’t considered it, we will probably don’t understand it in an appropriately manner.
The present guidelines take a consistent interpretation of the circumstances in which a DPIA is required (Art. 35 para. 3), clarify the notion and provide for the lists to be adopted by DPAs under Art. 35 para. 4. The scope of guidelines is anticipate the future EDPB’s mission according to Art. 70 para. 1-e and, therefore, to clarify the relevant provisions of the GDPR in order to help controllers to comply with the law and to provide legal certainty for controllers who are required to carry out a DPIA. These Guidelines also seek to promote the development of:
– a common European Union list of processing operations for which a DPIA is mandatory Art 35 para. 4;
– a common EU list of processing operations for which a DPIA is not necessary Article 35 para. 5;
– common criteria on the methodology for carrying out a DPIA Art. 35 para. 5;
– common criteria for specifying when the supervisory authority shall be consulted Art. 36 para. 1;
– recommendations, where possible building on the experience gained in EU Member States.
In compliance with their scope the guidelines provide for a lot of very useful data like addidtional criteria … and operations for processing DPIA or when DPIA is not necessary, how to do DPIA and which methodologies are used for carrying out a DPIA. Very important is that DPIA under the GDPR is a tool for managing risks to the rights of the data subjects. At the end the guidelines take a good notice: an international standard will also provide guidelines for methodologies used for carrying out a DPIA ISO/IEC 29134 (project), Information technology – Security techniques – Privacy impact assessment – Guidelines, International Organization for Standardization (ISO) …
Hope so… this kind of notice makes feel better!
Note: All the law articles in the present post are referred to Reg. Ue 2016/679