With the General Data Protection Regulation (GDPR) in force, many organisations already have most of the documentation in place, such as a privacy policy, internal data processing rules, records of data processing activities, etc. However, compliance with the GDPR does not stop at these documents / Data Protection Impact Assessment (DPIA) is still often unjustifiably overlooked. ECOVIS ProventusLaw explains why it is necessary and required.
What Is A Data Protection Impact Assessment (DPIA) And Why Is It Important?
Data protection impact assessment – the obligation of the data controller to assess the impact of processing operations on data protection where the type, nature, scope, context and purposes of the processing are likely to result in a serious risk to the rights and freedoms of natural persons. In other words, where processing operations are likely to result in a high risk to the rights of individuals, an organisation must assess the origin, nature and seriousness of the risks and determine measures to mitigate them. The DPIA must be documented and, where necessary, periodically reviewed.
Regular DPIAs are part of the principle of accountability enshrined in the GDPR and help an organisation to demonstrate compliance and mitigate the risks of data processing. In addition, a DPIA helps to reduce financial costs and further disruptions by implementing additional data protection measures in advance and by collecting and processing only the necessary data.
When Is A Data Protection Impact Assessment Necessary?
Recording telephone conversations. Many organisations record telephone conversations, for example to ensure the quality of customer service or to ensure the continuity of service provision. Almost always, when we make calls to medical institutions, public service providers or use public administration services, our conversations are recorded. In all these cases, organisations must have carried out a DPIA before starting these processes.
Carrying out video surveillance. The same requirement applies if organisations carry out large-scale surveillance of the areas that include a public place. The protection of property, offices, warehouses or the maintenance of public order is often the reason for video surveillance. In this case, it is not sufficient to inform individuals about the video surveillance, but it is also necessary to carry out a DPIA and to assess the risks that video surveillance and the related processing of video data pose to the rights of individuals.
Processing of employees’ personal data for monitoring or control purposes, or processing of personal data relating to the monitoring of employees’ communications, behaviour, location or movements. Another case that is often overlooked is the monitoring of employees. The monitoring of employees in this case cannot be understood in a narrow sense, i.e., only as filming of employees. Employee surveillance under the DPIA must be interpreted broadly. Employee monitoring includes cases where the employer has the possibility to check the actions of employees on IT systems (what files they have opened, downloaded, deleted), on the internet browser, checking (on a specific legal basis) email inboxes, as well as GPS tracking of the employee’s vehicle, and other similar cases.
The DPIA should include a full and comprehensive assessment of the risks and the measures the organisation will take to mitigate them.
Learning From Mistakes Of Others
Whilst there are many different data protection requirements and it may be overwhelmingly difficult to begin a compliance journey, processes like DPIA are there for the sake of data subjects and organisations. Without the DPIA, processing of personal data may lead to personal data breaches and the loss of trust between an organisation and its clients. We can see many examples in different countries where significant fines have been imposed for not carrying out a DPIA, such as:
- Finnish Data Protection Authority imposed 16 000 EUR fine on Kymen Vesi Oy for failure to carry out a DPIA for the processing of location data of employees with a vehicle information system;
- Norwegian Data Protection Authority imposed 46 660 EUR fine on Municipality of Rælingen for the processing of children’s health data in connection with disability through the digital learning platform ‘Showbie’. The Municipality had failed to carry out a DPIA prior to the start of the processing and had not taken adequate technical and organisational measures, resulting in an increased risk of unauthorised access to the personal data of the pupils;
- Portuguese Data Protection Authority imposed 4 300 000 EUR fine on Portuguese National Statistical Institute for numerous violations of the GPDR in connection with the 2021 census in Portugal. One of violations was that Portuguese National Statistical Institute failed to conduct a DPIA regarding the census;
- French Data Protection Authority imposed 800 000 EUR fine on DISCORD INC. The company made many violations of GDPR such as failing to establish and comply with a data retention period appropriate to the purpose of the processing, failing to sufficiently ensure the security of personal data by accepting unsecure passwords from users, failing to conduct a DPIA, etc.
If your organisation is assessing the need for, planning to conduct, or experiencing difficulties in conducting a data protection impact assessment, please do not hesitate to contact the data protection experts at ECOVIS ProventusLaw, who are always ready to help.
Prepared by Brigida Bacienė, ECOVIS ProventusLaw Data Protection Expert, and Gabija Bacevičiūtė, ECOVIS ProventusLaw Junior Associate