Since May 25, 2018, the General Data Protection Regulation (AVG) has been in effect. The goal of the regulation is a true European data protection culture and strong enforcement.
The AVG has proven to be an important piece of legislation and is a model for many other jurisdictions. The AVG has strengthened privacy protections for citizens. The AVG provides greater transparency and gives data subjects enforceable rights, such as the right to access, forgetfulness and portability. In addition, the AVG means that demonstrable compliance is becoming increasingly important for organizations. They recognize that properly handling the privacy interests of data subjects can provide a competitive advantage.
Since the entry into force of the AVG, various fines have been imposed by the various European regulators. A good overview of the fines and distribution in the EU member states can be read in DLA Piper's annual report. (1) Italy ranks first with a total amount of fines imposed of € 69,328,716, followed by Germany (€ 69,085,000) and France (€ 54,436,300). The Netherlands is in eighth place with €2,540,000.
The Netherlands ranks second in terms of the total number of data breach reports (66,527) since the introduction of the AVG. Germany ranks number one with 77,747 reported data breaches. This is in stark contrast to, for example, Greece with a total of 371 reported data breaches.
The causes of data breaches and fines imposed include lack of transparency(violation of the information obligation), lack of a lawful basis for processing, lack of adequate security measures, failure to comply with the principle of data minimization and exceeding retention periods.
When it comes to further analysis, it is interesting to note that much goes wrong in the lawfulness of personal data processing. These include issues such as a proper inventory of the personal data to be processed, an assessment of the basis and a consideration of the principles of the AVG(lawful, proper and transparent; purpose limitation; minimum data processing; accuracy; storage limitation; integrity and confidentiality). This means that the controller must be able to demonstrate that the entire data processing operation complies with the AVG. This is the 'accountability obligation' of Article 5(2) AVG. There are also helpful tools on the market to meet this 'accountability' requirement. (2)
The instrument 'Data Protection Impact Assessment' (DPIA) or also called 'Data Protection Impact Assessment' is an appropriate (and necessary) tool to demonstrate that a data processing operation complies with the AVG. Whether it is a Pre-DPIA or DPIA, a data controller can use it to demonstrate that the entire processing of personal data to which the DPIA relates complies with the AVG. The WP29 (3) has indicated in its guidance on DPIAs (4) that a DPIA is a process that comes with demonstrable compliance.
There are many misunderstandings about DPIAs. To gain a good understanding of DPIAs, a useful book is available: the Handbook of DPIAs. (5)
A DPIA is a tool/process designed to describe the processing of personal data, assess its necessity and proportionality, and help manage the associated risks to the rights and freedoms of natural persons by assessing these risks and determining measures to address them.
It is also necessary to determine for each processing of personal data whether there is a "high risk. See Article 35 AVG for this. (6) You can do this determination through a Pre-DPIA.
Organizations must be able to justify their data processing operations. They must be able to demonstrate that the data processing operations they perform comply with the(principles of the) AVG.
It was noted earlier that the DPIA is a process. If necessary, the DPIA should be updated. This means that if risks change, data processing changes, or circumstances change, the DPIA should be updated.
Thus, a DPIA is not a one-time action in the form of a record in a document, but is an ongoing process of (re-evaluating) data processing.
This is also confirmed in Article 35(11) AVG:
'Where necessary, the controller shall conduct a review to assess whether the processing is carried out in accordance with the data protection impact assessment, at least where there is a change in the risk posed by the processing operations.'
The WP29 states in guidance 248: "It is good practice to continuously review and regularly reassess a data protection impact assessment. Even if a data protection impact assessment is not required on May 25, 2018, it is therefore necessary for the data controller to conduct a data protection impact assessment at the appropriate time as part of its overall accountability.
This means that the DPIA (report) should be reviewed periodically.
It is therefore prudent to provide each DPIA with an implementation and adoption date (by the controller), but most importantly with an "expiration date. By including this date in an expiration calendar, the controller is automatically alerted that a DPIA needs to be reviewed.
This is a "good practice" in terms of implementing a prudent - data management policy.
The Personal Data Authority (7) notes in this regard that: 'Conducting a DPIA is not a one-time task, but a continuous process. You should always keep monitoring whether your data processing changes. For example, if you are going to use a new technology. Or if you are going to use personal data for a different purpose.
In these situations, your data processing actually turns into a new data processing operation. And then a DPIA may be mandatory. Because of these changes, it is advisable to conduct a DPIA periodically. Even if the data processing itself has not changed. For example, once every 3 years'.
This means that any DPIA conducted must be reviewed at least once every three years.
Proper application of the data management process means that now that the AVG has been in place for three years, effectively all data processing in an organization must be reassessed.
Also, after the entry into force of the AVG on May 25, 2018, after three years, it is necessary that a DPIA must now have been carried out for any "high risk" processing.
Many organizations are still struggling with the subject of DPIAs. When should you conduct a DPIA? What exactly is a "high risk" processing? How do you go about it and what is a good DPIA?
The Handbook on DPIAs (8) can be of great help. The DPIA Handbook contains clear explanations and uses a proven methodology. Practical models have also been added, enabling you to quickly perform a good DPIA.
All individual processing operations are recorded in a (Pre-)DPIA, providing a total overview of all individual processing operations in an organization, with an insightful consideration of whether or not it is a 'high risk' processing. All risks and measures are also (re)assessed and mapped.
Want to learn more about the theory and practice of DPIAs?
Then attend the DPIA course, which will be taught by privacy lawyers Francis Joung and Sander van de Molen on June 22, 2021. More information about the course can be found here.
(1) See "DLA Piper GDPR fines and data breach survey" report, January 2021.
(2) For example, EasyPrivacy®. See www.privacyteam.nl.
(3) It passed into the European Data Protection Board (EDPB) on May 25, 2018, which endorsed the WP29 guidelines.
(4) See WP29 Directive 248, p. 4 and 5: A data protection impact assessment is a process designed to describe the processing of personal data, assess its necessity and proportionality, and help manage the associated risks to the rights and freedoms of natural persons by estimating these risks and determining measures to address them. Data protection impact assessments are important accountability tools because they help data controllers not only comply with the requirements of the AVG, but also demonstrate that appropriate measures have been taken to ensure compliance with the Regulation (see also Article 24). In other words, a data protection impact assessment is a process for achieving and demonstrating compliance.
(5) See DPIAs Handbook, Theory and Practice for Non-Lawyers, September 2020, Berghauser Pont Publishing House. Authors: Francis Joung and Sander van de Molen. ISBN 978-94-92952-42-4. This book also contains practical models for conducting and recording DPIAs.
(6) Article 35 Data Protection Impact Assessment Paragraph 1. Where a type of processing, in particular a processing using new technologies, is likely to present a high risk to the rights and freedoms of natural persons in view of its nature, scope, context and purposes, the controller shall, prior to the processing, carry out an assessment of the impact of the intended processing activities on the protection of personal data. One assessment may cover a range of similar processing operations that present similar high risks.
(7) See the following link: https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/data-protection-impact-assessment-dpia.
(8) See Handbook of DPIAs, Theory and Practice for Non-Lawyers, September 2020, Berghauser Pont Publishing. ISBN 978-94-92952-42-4. This book also contains practical models for conducting and recording DPIAs.
