Under the GDPR, there is a new general accountability obligation to not only comply with the Regulation, but to demonstrate that compliance. One tool available to demonstrate compliance is a privacy impact assessment which should be carried out before undertaking ‘high risk’ processing. ‘High-risk’ processing includes:
- systematic and extensive profiling that produces legal effects or significantly affects individuals;
- processing sensitive personal data on a large scale; and
- systematic monitoring of a publicly accessible area on a large scale (e.g. CCTV).
Please visit: https://gdpr-info.eu/art-35-gdpr/
The UK Information Commissioner has drawn up a list of “high risk processing”, which includes activities such as data matching and artificial intelligence. The ICO also issued a guidance on DPIAs after public consultation.