What you need to know.
Under the GDPR, companies are required to perform a thorough Data Protection Impact Assessment (« DPIA ») when it is likely that their processing activities will entail a high risk of negative consequences for the data subjects. The GDPR provides several examples of where such a DPIA is required. Likewise, the Working Party 29 and the Belgian Privacy Commission have issued a number of recommendations in this respect. For example, such an obligation applies to hospitals, financial institutions that draw up financial profiles, or companies that use camera surveillance in publicly-accessible areas. Hence, most companies will not be under the obligation to perform a DPIA. But of course, nothing prevents such companies from conducting a DPIA on a voluntary basis.
Companies that act as processors do not slip through the net. The GDPR prescribes that processors are required to provide assistance to controllers in carrying out their DPIA.
What you need to do by 25 May 2018.
Primarily, as a company you must assess whether the obligation to perform a DPIA applies to your processing activities. The GDPR offers a number of examples in this respect. Furthermore, you can find some practical guidance in the recommendations of several privacy authorities.
In any case, you still have some time to prepare such DPIA. The Working Party 29 seems to indicate that a DPIA does not need to be carried out for existing processing activities, unless such existing processing activity has changed in the period leading up to 25 May 2018 and, as a consequence, will / can cause negative consequences for the data subjects involved.
Be aware that the DPIA is part of your accountability obligation vis-à-vis the supervisory authority. Therefore, the analysis of whether you are required to perform a DPIA must be carried out with the necessary precision. If there is a real chance that the obligation to conduct a DPIA applies to you, you are advised to call upon a specialist in this area.
Please consult our website or contact one of our team members if you have questions or require more information:
In the Picture - December 2018
Three people can only keep a secret if two are dead. A European recipe for trade secrets.