logo text

Friday, 19 October 2018

EDPB indicates that ICO's guidelines on DPIAs are too stringent

Organisations can use data protection impact assessments ("DPIAs") to identify and mitigate a project's data protection risks. The General Data Protection Regulation ("GDPR"), which has been in force since 25 May 2018, mandates organisations to carry out DPIAs in specific circumstances.

During its latest meeting, the European Data Protection Board ("EDPB"), the EU privacy watchdog, adopted 22 opinions that establish common criteria for DPIA lists.

The lists were created by the national supervisory authorities ("SAs") to establish what types of processing are likely to be categorised as high-risk, and therefore require a DPIA to be carried out. The EDPB examined lists from 22 EU countries before establishing the common criteria, with the aim of providing more consistency across the EU, as required by the GDPR.

The UK list, which had been supplied by the Information Commissioner's Office ("ICO") in its guidance on DPIAs, stated that the processing of biometric, genetic or location data would automatically require a DPIA to be undertaken. However, the EDPB's opinion on the UK list disagreed, saying that processing these types of data on their own "is not necessarily likely to represent a high risk". Instead, the Board recommended that the ICO change its guidance so that for these types of data-processing, a DPIA should only be carried out when the processing is done in conjunction with at least one other criterion set out in the WP29's guidance on DPIAs, which the EDPB has endorsed.

There was further contention over employee monitoring and the use of innovative technology. The EDPB's opinion requested that the ICO amend its guidance to require the presence of two "high-risk" criteria (listed in the EDPB's guidance on DPIAs) before it is mandatory for organisations that plan to monitor employees to carry out a DPIA. Likewise, the EDPB asked the ICO to revise its guidance to refer to "innovative" rather than "new or innovative" and add that processing using innovative technology only requires a DPIA to be conducted when it is done in conjunction with at least one other criterion from the EDPB's guidance on DPIAs.

In line with Article 64(7-8) of the GDPR, the ICO must respond to the EDPB's opinion within two weeks of receiving it. The GDPR does not require SAs to amend their lists in line with the EDPB's recommendations, but if they decide not to do so, they must, within the same time period, provide the relevant grounds for their intention not to follow the EDPB's opinion.

We have created DPIA procedures for many of our clients. Please contact us if you require assistance with creating such a process or consultation on your DPIAs.

Useful links

Notes from the latest EDPB meeting

A list of the 22 opinions of the EDPB on DPIAs

The EDPB's opinion on the UK list

The ICO's current guidance on DPIAs (possibly subject to change)

The WP29's guidance on DPIAs

Article 64(7-8) of the GDPR

No comments:

Post a Comment