As the dust has settled somewhat, organizations are still very busy implementing alternative data transfer mechanisms after the revolutionary "Schrems II" decision invalidated PrivacyShield (which allowed free transfer of personal data between the EU and US). During this, one important tool remains often overlooked: data protection impact assessment (‘DPIA’).
Based on the text of Article 35 of the GDPR, subsequent guidance from the EDPB, and guidance from national supervisors, organisations have typically conducted impact assessments only for processing activities where that is required; those that are “likely to pose a high risk to data subjects”, based on a checklist of ‘high risk criteria’.
Many companies, especially smaller companies or those that primarily act as processor, handling data for other organizations, often do not conduct a formal DPIA because their activities do not fall strictly within the specific EDPB guidelines. In those cases where a DPIA is conducted, it is almost always done by the data controller.
Because of their scope only concerning data privacy and the often misplaced fear that conducting a DPIA could somehow make an organization extra liable (nothing requires an organization to formally report the results if the activities are not considered risky or likely to harm the fundamental rights and freedoms of a data subject), DPIAs are underused in building a data privacy program.
In the future, however, DPIAs should be considered useful for both data controllers and processors for several reasons, including to determine which alternative transfer mechanisms are most viable, and to identify additional measures.
A potential high risk for data subjects is not limited to the abovementioned criteria however, and in light of the Schrems decision, there is also an argument that now any processing activity that involves a transfer outside the European Economic Area can be classified as a "high risk activity" and make performing a DPIA mandatory.
There is an official list of criteria for an acceptable DPIA, proposed by the predecessor of the EDPB. Interestingly, the steps proposed by the EDPB to ensure ongoing compliance with the EU General Data Protection Regulation (‘GDPR’) after Schrems II largely overlap, or can be combined with, those the EDPB proposes for DPIAs:
- necessity and proportionality
- rights of data subjects
- relationships with processors
- safeguards surrounding international transfer(s)
- when in doubt or a high risk: prior consultation of privacy supervisors
The way forward after Schrems II will likely remain unclear for the foreseeable future, because although the U.S. Department of Commerce and the EU Commission are working on an updated data transfer agreement, it will not be here tomorrow. In the meantime, DPIAs are a tool that everyone that transfers data outside of the EEA should rely on more to provide clarity on their overall data protection strategy.