The Article 29 Working Party (WP29) issued its Final Guidance on Data Protection Impact Assessments on 4 October. You can find out more about the role of WP29 in our data protection glossary here.
The guidance is in many respects similar to the draft guidance issued in April.
Largely the guidance is common sense and there are no real surprises. The guidance talks about the role of data processors in DPIAs – our experience has shown that a data processor’s willingness to assist in the DPIA process can be a good guide to their data compliance generally.
The guidance stresses that a DPIA is not necessary in every case. It confirms, however, our experience that it is often not clear to a business whether a DPIA is required or not. In our experience a good DPIA should have a triage element which helps a business determine whether a full-blown DPIA is required. The guidance seems to confirm that saying: “In cases where it is not clear whether a DPIA is required, the WP29 recommends that a DPIA is carried out nonetheless as a DPIA is a useful tool to help controllers comply with data protection law”. The guidance expands on the occasions when regulators think a DPIA will be legally required.
One of the questions we are asked most frequently is whether DPIAs should be done on existing practices. The WP29 guidance also addresses this: “As a matter of good practice, a DPIA should be continuously reviewed and regularly re-assessed. Therefore, even if a DPIA is not required on 25 May 2018, it will be necessary, at the appropriate time, for the controller to conduct such a DPIA as part of its general accountability obligations”.
The guidance also confirms that DPIAs should be a team game – from our experience DPIAs work best when the business leads the process rather than the Data Protection Officer. The guidance stresses that other relevant individuals such as the CISO should also be involved.
We’ve much more detailed advice on DPIAs in GDPR Navigator, which includes a detailed guidance note on the accountability elements of GDPR and a 25-minute film on DPIAs with best practice and tips for compliance. There are more details of GDPR Navigator here. We’ve also helped businesses prepare their DPIA templates and led workshops on the key skills needed to run a DPIA effectively.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|