DO YOU NEED TO CONDUCT A GDPR DATA PROTECTION IMPACT ASSESSMENT? A Simple GDPR-referenced 'Decision Tree'

The EU General Data Protection Regulation (GDPR) requires controllers to conduct a Data Protection Impact Assessment (DPIA) where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, by virtue of their nature, scope, context and purposes. GDPR Article. 35. 

The below threshold assessment questions can be used to assist in determining whether a full DPIA is required for proposed processing operations, under the GDPR—i.e., whether processing operations are likely to result in a high risk to the rights and freedoms of natural persons. 

After completion of the threshold assessment, the person responsible for approving the project will have the option to review the levels of risk flagged and the corresponding recommendations, and to begin a full DPIA if they so choose

NOTE: Should you find the above useful & want a similarly 'simplified' Data Protection Impact Assessment Decision Tree/Questionnaire, then link with me or let me know & I will happily send it to you when I complete it

Ben WOODS (GDPR Consultant)

1 – Processing Personal Data

"'Personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person." [GDPR Art. 4(1)]

2 – Legal Basis – Processing

What is the legal basis for the processing of data?

"Processing shall be lawful only if and to the extent that at least one of the following applies:" [GDPR Art. 6(1)]

• Consent of the data subject
• Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
• Processing is necessary for compliance with a legal obligation
• Processing is necessary to protect the vital interests of a data subject or another person
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject

If answer is ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’, then skip to 4 – New Technologies

If none of the others then identify and document a legal basis under Article 6(1) of the GDPR before continuing with the proposed processing operations

3 – Legitimate Interest

Describe the legitimate interest pursued by the proposed processing operations

Under the GDPR, DPIAs must contain "a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller." [GDPR Article 35(7)(a)]

4 – New Technologies

Do the proposed processing operations involve using new technologies?

If no, then go to 5

If yes, then a DPIA should be conducted, as per Recital 89 and Article 35(1) of the GDPR. The new technologies should be described

5 – New Kind of Processing Operations

Are the proposed processing operations of a new kind where no prior DPIA has been carried out?

If no, then go to 6

If yes, then a DPIA should be conducted, per Recital 89 and Article 35(1) of the GDPR

6 – Large-Scale Processing

Will the proposed processing operations be conducted on a large-scale aimed at processing a considerable amount of personal data at regional, national or supranational levels?

If no the go to 7

If yes, then a DPIA should be conducted, per Recital 91 and Article 35 of the GDPR

7 – Number of Data Subjects

Could the proposed large-scale processing operations affect a large number of data subjects?

If no, then go to 8

If yes, then a DPIA should be conducted, per Recital 91 and Article 35 of the GDPR

8 – Impinge on Rights

Are the proposed large-scale processing operations likely to make it more difficult for data subjects to exercise their rights?

"[F]or example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk to the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights." [GDPR Recital 91]

If no, then go to 9

If yes then a DPIA should be conducted, per Recital 91 and Article 35 of the GDPR.

9 – Large-Scale Monitoring

Will the proposed processing operations include systematic monitoring of a publicly accessible area on a large scale?

"[E]specially when using optic-electronic devices or for any other operations where the competent supervisory authority considers that the processing is likely to result in a high risk to the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a service or a contract, or because they are carried out systematically on a large scale."

If no, then go to 10

If yes then a DPIA must be conducted per Recital 91 and Article 35(3)(c) of the GDPR.

10 – Systematic and Extensive

Will the operations include a systematic and extensive evaluation of personal aspects based on automated processing, and on which decisions are based that produce legal effects concerning or that significantly affect the natural person?

If no, then go to 11

If yes then a DPIA must be conducted per Recital 91 and Article 35(3)(a) of the GDPR.

11 – Special Categories

Will the proposed processing operations include processing on a large-scale of any of the following special categories of data? [GDPR Recital 91; Article 35(3)(b), 9(1)

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade-union membership
• Genetic data
• Biometric data
• Health data
• Sex life
• Sexual orientation

If no, then go to 12

If yes then a DPIA must be conducted, per Recital 91 and Article 35(3)(b) of the GDPR

12 – Legal Basis (Special)

What is the legal basis for the processing of special categories of data? See Article 9(2) of the GDPR for the full text of each legal basis.

• Explicit consent of the data subject
• Processing is necessary for carrying out obligations
• Processing is necessary to protect the vital interests of the data subject
• Processing is carried out by a not-for-profit body with a political, philosophical, religious or train union aim
• Processing relates to personal data manifestly made public by the data subject
• Processing is necessary for the establishment, exercise or defense of legal claims
• Processing is necessary for reasons of substantial public interest on the basis of Union or Member State law
• Processing is necessary for the purposes of preventative or occupational medicine
• Processing is necessary for reasons of public interest in the area of public health
• Processing is necessary for achieving purposes in the public interest, scientific and historical research, or statistical purposes (in accord with Article 89(1))

If answer is not one of the above, then Identify and document a legal basis under Article 9(2) of the GDPR before continuing with the proposed processing operations

13 – Criminal Conviction Data

Will the proposed processing operations include any processing on a large scale of personal data relating to criminal convictions and offences?

NOTE: under Article 10 of the GDPR, this type of processing shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects

-------------------------------------------------------------------------------------------------

Should you find the above useful & want a similarly 'simplified' Data Protection Impact Assessment Decision Tree/Questionnaire, then link with me or let me know & I will happily send it to you when I complete it

Ben WOODS (GDPR Consultant)