The Article 29 Working Party has adopted Guidelines on Data Protection Impact Assessments (DPIAs), following its consultation on a draft version published in April 2017. The final version provides additional guidance in a number of areas without materially changing the position.
Further guidance is provided on the trigger for mandatory DPIAs – whether the processing is likely to result in a “high risk to the rights and freedoms of natural persons.” Additional emphasis is placed on the obligations of controllers in cases where a DPIA is not required, pointing out that they must implement measures to appropriately manage risks regardless and, further, that they must continuously assess the risks to identify when they may trigger the DPIA obligation. The final Guidelines also discuss the sharing of information relating to DPIAs amongst joint controllers or where similar processing operations are carried out by various data controllers.
Continue Reading GDPR Data Protection Impact Assessments Guidelines Released