Data Protection Impact Assessment (DPIA)

Under the GDPR, there is a new general accountability obligation to show one complies with the Regulation by conducting a privacy impact assessment when ‘high risk’ processing is carried out. ‘High-risk’ processing includes:

  • systematic and extensive profiling that produces legal effects or significantly affects individuals;
  • processing sensitive personal data on a large scale; and
  • systematic monitoring of a publicly accessible area on a large scale (e.g. CCTV).

Please visit: https://gdpr-info.eu/art-35-gdpr/

The Article 29 Working Party has subsequently issued Guidelines on Data Protection Impact Assessments (WP 248). The European Data Protection Board endorsed all the GDPR related WP29 Guidelines.

In November 2018, the CNIL adopted two deliberations aimed at further regulating the obligations to use a DPIA. The first defines the perimeter and indicates that if two criteria are concerned then it is mandatory to carry out a DPIA. The second lists the criteria that may involve the use of a DPIA.

The CNIL has developed an open source tool which aim is to help conduct privacy impact assessments. There are also guidelines on privacy impact assessments adopted by the CNIL.

Please visit:

CNIL deliberation : https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000037559518

PIA Open Source Tool  https://www.cnil.fr/fr/node/23992

PIA List of processing : https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000037559521

PIA Methodology: https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-1-en-methodology.pdf

PIA Templates: https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-2-en-templates.pdf

PIA Knowledge Bases: https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-3-en-knowledgebases.pdf