EBF comments on the Article 29 WP guidelines on data protection impact assessment (dpia) – wp248
EBF advisor: Noémie Papp
Publication date: 23 May 2017
Data Protection Impact Assessment (DPIA) should be based on a risk-based approach:
We understand that the Article 29 Data Protection Working Party (WP29) intends to recommend a risk-based approach, but this can be clarified and strengthened in the guidelines.
- No mandatory DPIA for data processing requested by legal requirements:
A DPIA is intended to produce protection and privacy-friendly solutions where a data processing is likely to result in a high risk. If, however, a bank is subject by law to certain data processing requirements (e.g. monitoring payments to combat money laundering and fraud, processing employee data to comply with statutory tax and social security provisions), the legislator has already decided that such processing is legitimate. The bank has no discretion as to whether it performs the processing called for by the legislator or not.
The Guidelines provide a very large scope of criteria (listed on page 7-9) which are not adapted to the banking practice. An application of the current Guidelines would mean that each processing of financial data on a large scale would be considered as “likely to result in a high risk” under Article 35 (3). This will require banks to conduct a DPIA for most of their day-to-day operations/activities which would be disproportionate to the low risk of most bank data processing. Most routine data processing by banks is highly regulated, well controlled and well understood, and will not pose a high risk to data subjects.
- The “high risk to the rights and freedoms of natural persons” should be the deciding factor to conduct a DPIA:
While it is, in principle, helpful to provide examples of cases in which a DPIA should be conducted, an obligation to carry out a DPIA should not automatically be inferred from these examples. Instead, the “high risk to the rights and freedoms of natural persons” threshold should be the deciding factor to conduct DPIA. The ‘criteria’ for high risk should be reframed as ‘factors’ for controllers to consider when determining high risk. Factors that suggest that processing is ‘low risk’ should also be added and should include in particular the presence of other relevant regulation that protects data subjects.
The WP29 Guidelines on DPIA requirements should not go beyond the scope defined by the GDPR:
The Guidelines in many ways will be of help for the companies in their work with Data Protection Authorities. However, we observe that certain provisions go beyond the General Data Protection Regulation (GDPR). Helping interpretation of the text is useful, but seemingly, expanding the requirement to carry out a DPIA beyond the provisions of the GDPR should be avoided. This would pose unmanageable challenges to companies and also be at odds with the risk-based approach of targeted use of limited resources for particularly important cases (“be selective, be effective”).
DPIA for existing processing operations:
The Guidelines strongly recommend to carry out DPIAs for processing operations already underway prior to the entry into force of the GDPR. It seems rather burdensome to expect organisations to assess all of their existing processing operations as if they were already subject to DPIA. The Guidelines should be aligned with the scope defined by the Level 1 GDPR text, and not go beyond.
We propose to omit such a recommendation in view of the fact that the requirements for the future are already very challenging.