The new GDPR is much more detailed than the 1995 Directive. The GDPR has 99 articles, versus 34 in the Directive. And a few new key concepts clearly require new guidance.
Since the adoption of the Regulation on 27 April 2016, the Article 29 Working Party (with representatives of the Supervisory Authorities of all Member States) has issued 3 sets of guidance on “Data portability”, “Data Protection Officers” and “Lead Supervisory Authority”.
More recently, a fourth set of guidelines was last revised and adopted on 4 October 2017, on Data Protection Impact Assessment (DPIA).
DPIAs are assessments of the impact of the envisaged processing operations on the protection of personal data that must be carried out by the controller prior to the processing. DPIAs are required where a processing is “likely to result in a high risk to the rights and freedoms of natural persons” (GDPR, Article 35). According the WP29:
-
“A DPIA is a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data4 by assessing them and determining the measures to address them. DPIAs are important tools for accountability, as they help controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the Regulation (see also article 24). In other words, a DPIA is a process for building and demonstrating compliance.” (Emphasis added.)
These new guidelines are much welcomed considering the potential impact on businesses of this new obligation in particular to have more detail on what content will be expected in the assessments and what “a high risk to the rights and freedoms of natural persons” means.
The following figure from page 7 of the DPIA guidance illustrates the basic principles related to the DPIA in the GDPR:
