Austria: Data Protection Impact Assessment and Big Data: An Unsolvable Task?
Data growth over the last few years has prompted regulators to reassess how consumer data is protected. While the rapid growth of data has created an opportunity for companies to better understand the competitive business landscape, data subjects are now more than ever exposed to the risk of losing oversight of personal data.
The collection of large quantities of personal data is nowadays taken more or less for granted. While companies and consumers have both benefited greatly from new and smart technologies, regulations around data privacy and protection are becoming stricter due to the General Data Protection Regulation (“GDPA”). As a result of this new regulation, additional obligations have been imposed on data controllers and processors and, more importantly, data subjects are now better protected under this new law.
Data Protection Impact Assessment
The GDPR,1 which will take effect on 25 May 2018, imposes the Data Protection Impact Assessment (“DPIA”) in art 35. The DPIA is a process to help the data controller and data processor identify and reduce privacy related challenges and risks of data processing. If such risks are identified, the GDPR expects the controller to take measures to protect this personal data. The assessment should be conducted before the data processing activity commences.
Only exemplary cases in which a DPIA is necessary are enumerated in the GDPR, eg if sensitive data is processed or in cases of systematic and wide-ranging public monitoring (CCTV of public places), or in cases of profiling. The DPIA therefore means that the data controller has to assess the consequences and risks of future data processing, which makes dealing with big data processing more challenging. If the DPIA indicates a high risk that cannot be tackled by implementing appropriate technical security measures, the data controller will be obliged to consult the Data Protection Authority.
The DPIA process
The DPIA process is flexible and cannot be unified for every company or project. Given the level of execution complexity, the process should commence as soon as dedicated re-sources have been allocated. The DPIA requires several steps, which are configured with varying degrees depending on the company or project.
Step 1 – Data Flows
At this DPIA level it is necessary to describe the data flows of the company. It should ex-plain exactly which personal data is processed, for which purpose, who is the data subject (eg, customer, employee, supplier, etc), to whom the data will be transferred (if it will be transferred) and who will have access to this data as well as other necessary information.
Step 2 – Identifying Risks
In step two, the company should identify potential risks to data subjects and the compa-ny. Risks to data subjects can include damage caused by inaccurate data or a security breach, whereas associated company risk is usually considerable financial loss. A key risk is a legal compliance risk, which could include missing registrations or certificates
Step 3 – Privacy Solutions
The company should evaluate privacy solutions to assess the effectiveness of the solution to mitigate risks. For example, by implementing security measures, access rights or escalation management, the risk of a breach is minimised. Companies should also be aware that some risks cannot be entirely eliminated by privacy solutions. Available resources, costs and benefits should be evaluated and considered as well.
Step 4 – DPIA Report
The whole DPIA process should be reported and recorded by the company or consultants. The report should describe the DPIA process with all the steps taken to identify, evaluate, reduce or eliminate privacy risks. In addition, the decisions and investments made during the process should be recorded.
Step 5 – Integrating the DPIA outcomes into the company’s structure
The DPIA findings and actions should be integrated into the company’s structure or plan. This is critical, as the implementation of a new technology, for example, may necessitate another execution of the DPIA process. The integration may also require additional staff or external consultants.
Is the DPIA an unsolvable task for big data?
The DPIA process, particularly in the area of big data, is a big challenge. It is not impossible, however, and can be accomplished with the right resources. An important prerequisite is that the DPIA process is executed in a timely fashion. Another pillar of support, especially for future DPIAs, is the concept of Privacy by Design, which enables stronger protection of data subjects’ privacy.
The DPIA means that the data controller has to assess the consequences and risks of future data processing, which makes dealing with big data processing more challenging. If the DPIA indicates a high risk that cannot be tackled by implementing appropriate technical security measures, the data controller will be obliged to consult the Data Protection Authority.
- Regulation (EU) 2016⁄679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).