During preparation to apply the EU legislation of direct application – General Data Protection Regulation (the “Regulation”) starting 2018 May 25th in Lithuania, as in other Member States of the European Union, the Article 29 Data Protection Working Party has published guidelines on the assessment of the impact of data protection. For data controllers the importance of this document is that the data protection impact assessment is an essential tool for accountability of data controllers and can, if necessary, prove that appropriate measures have been taken to ensure that the requirements of the Regulation are met.
The data protection impact assessment is a process for describing, assessing the necessity and proportionality of data processing operations and helping to manage the risks that may arise from the rights and freedoms of individuals in the processing of personal data. Although the regulation does not formally define the content of the data protection impact assessment, it does provide minimum content requirements, stating that the assessment should include at least:
1. a systematic description of the data processing operations envisaged and the purposes for which the data is processed;
2. the assessment of the necessity and proportionality of data processing operations in relation to objectives;
3. assessment of the risks to data subjects’ rights and freedoms;
and 4. measures to be taken to eliminate the risks, which ensure the protection of personal data and demonstrate compliance with the Regulation.
In other words, the assessment of the data protection impact must be regarded as a process of proof of compliance with the Regulation. It is to be understood that the assessment of the impact on data protection is not obligatory in all cases, but only when the rights and freedoms of natural persons can be seriously endangered, i.e. including, but not limited to, the following:
1. a systematic and comprehensive assessment of the personal aspects of individuals that is based on automated processing, including profiling, and on which decisions are taken which have influence to legal effects of a natural person or which have a similarly significant effect on a natural person;
2. large-scale processing of special categories of data or personal data concerning convictions and offenses;
or 3. systematic public monitoring at large scale.
The reference to the “rights and freedoms” of data subjects relates in particular to the right to data protection and privacy, but may also include other fundamental rights such as freedom of expression, freedom of thought, freedom of movement, and the prohibition of discrimination.
In deciding whether the rights and freedoms of individuals could be “at high risk”, the Working Group and the Regulation recommend the following nine criteria:
1. Assessment or rating, including profiling and prediction, in particular as regards the aspects of the activities or work of the data subject, the economic situation, health habits, personal interests or interests, reliability or behavior, location and mobility aspects, such as a financial institution that inspects its customers in credit data databases or in the database on money laundering and anti-terrorist financing or fraud;
2. Automatic decision making with legal effect or similar effect;
3. Large-scale monitoring of public places;
4. Processing of special categories of personal data;
5. Data is processed on a large scale;
6. Datasets are compared and matched;
7. Processing of data on vulnerable persons – children, refugees, etc.
8. New technologies or organizational solutions are used;
9. The processing itself “prevents the data subject from exercising his rights, services or concluding contracts”.
In most cases, the data controller will have to carry out an Data Protection Impact Assessment if the processing complies with the two criteria listed above. However some
times only for one of the criteria for data processing the Data Protection Impact Assessment may be compulsory. An assessment of the impact on data protection should be carried out by the data controller, in consultation with the data protection officer and data processor, prior to the processing of personal data, on the basis of a self-selection of the methodology.
In accordance with Article 35 Clause 4 of the Regulation, Supervisory Authority of the Republic of Lithuania, t. y The State Data Protection Inspectorate representing Lithuania should compile and publicly publish a list of data processing operations for which the requirement to carry out an Impact Assessment on data protection shall be applied.