Under the GDPR, there is a new general accountability obligation to show one complies with the Regulation by conducting a privacy impact assessment when ‘high risk’ processing is carried out. ‘High-risk’ processing includes:
- systematic and extensive profiling that produces legal effects or significantly affects individuals;
- processing sensitive personal data on a large scale; and
- systematic monitoring of a publicly accessible area on a large scale (e.g. CCTV).
Please visit: https://gdpr-info.eu/art-35-gdpr/
Article 29 Working Party has issued Guidelines on Data Protection Impact Assessments (WP 248). It suggests there are nine criteria to consider determining whether to conduct a privacy impact assessment, and that an assessment should be made if two or more of those criteria are met. The European Data Protection Board (EDPB) endorsed the GDPR related WP29 Guidelines.
Please visit: https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/wp248_rev.01_nl.pdf (official Dutch translation)
The Dutch DPA has drawn up and published a (non-exhaustive) list of examples of types of “high risk” processing for which a Data Protection Impact Assessment (gegevensbeschermingseffectbeoordeling) must be carried out prior to processing.