Background

For general compliance and as part of the accountability model on which it is based, the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') requires the prior identification, assessment, and mitigation of risks to the rights and freedoms of individuals in the processing of personal data. Moreover, the GDPR also introduced, in its Articles 35 and 36, an obligation to conduct, prior to the processing, a Data Protection Impact Assessment ('DPIA') of the envisaged processing operations 'where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons' and, where appropriate, a prior consultation of the supervisory authority, respectively.

In other words, the GDPR does not require that all processing of personal data must be subject to a DPIA, but it does require it to be carried out when there is a likelihood of a high risk. As a key part of the accountability obligations and a vital part of Data Protection by Design under the GDPR, a DPIA is a process that helps organisations identify and reduce risks associated with data processing.

Indeed, risk management and DPIAs are closely linked processes, the latter being a particularity within the former. Thus, briefly, as a general requirement of the GDPR, all data processing has to be subject to a risk assessment. When the processing operations are found to be of high risk, a DPIA shall then be conducted.

Although the GDPR does not elaborate in depth how risk assessments must be carried out, giving organisations the freedom to use their own risk management tools, policies, and governance, EU supervisory authorities have developed their guidelines and tools to assist entities with compliance regarding risk assessment and DPIAs. Among those EU regulators, one can mention the French data protection authority ('CNIL')², the Data Protection Commission ('DPC')³, and the AEPD⁴. Also, the EDPB endorsed the 'Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk" for the purposes of Regulation 2016/679' ('the Article 29 Working Party DPIA Guidelines'), which were issued by the Article 29 Working Party (i.e. its predecessor).

This Insight article specifically focuses on the Guidelines as issued by the AEPD.

Overview of the Guidelines

The Guidelines are addressed to data controllers, data processors, and data protection officers ('DPOs') for the management of risks to the rights and freedoms of data subjects applicable to any processing operation, regardless of the level of risk, providing a unified view of risk management in data governance processes within entities. The Guidelines are aimed at assisting compliance with the GDPR, especially in connection with the performance of risk assessment and, where appropriate, DPIAs pursuant to Article 35 of the GDPR, as well as the prior consultation of the supervisory authority referred to in Article 36 of the GDPR (i.e. where the result of the DPIA performed 'indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk').

These Guidelines may be a useful asset for developing a risk assessment methodology in terms of risk management as they have been drafted taking into consideration lessons learned in the application of risk management in the field of data protection, as well as criteria and interpretations not only from the AEPD itself, but also from the EDPB and the EDPS.

In this sense, it should also be highlighted that the Guidelines cover a broad range of matters that are adequately described in a well-structured and clear manner with tables, graphics, and real-world examples, which undoubtedly help to take it as a relevant document of reference, especially in pan-European projects.

Furthermore, it is worth noting that the Guidelines are complemented with other documents and tools provided by the AEPD, including:

• an online free tool intended to assist in identifying risks for the rights and freedoms of data subjects, in order to make a first assessment of the intrinsic risk, the need to conduct a DPIA, and to estimate the residual risk if measures and safeguards are implemented to mitigate the specific risks⁵;
• a DPIA template for the private sector⁶;
• the list of the types of data processing that require a DPIA (pursuant to Article 35(4) of the GDPR)⁷;
• the list of types of data processing that do not require a DPIA (pursuant to Article 35(5) of the GDPR)⁸; and
• a checklist for determining the formal adequacy of a DPIA and the submission of a prior consultation⁹.

Structure of the Guidelines

Structurally, the Guidelines are divided into three main sections:

• a first section that describes the fundamentals of risk management for the rights and freedoms of data subjects;
• a second section that includes a basic methodological development for the application of risk management for rights and freedoms; and
• a third and final section that focuses on cases that require the completion of a DPIA, with specific methodological guidelines in this respect.

Given the broad scope of the Guidelines and the number of issues addressed, this Insight article focuses on some specific matters that may be of particular interest to controllers, processors, and DPOs and which are discussed generally in the following sections.

Considerations regarding the Guidelines

On the basic methodological development for the application of risk management for rights and freedoms

Adopting a defined classification and methodology for risk management is one of the key areas in which the Guidelines may be beneficial for organisations. In fact, as stressed in the Guidelines, they have been expressly designed with the aim to assist those who need to implement a methodology from scratch.

In this sense, to the extent that they are generally fairly neutral and taking into consideration the fact that they occasionally refer to international standards (e.g. ISO 9000, ISO 31000) and ultimately the so-called 'Brussels effect' (i.e. the de facto global diffusion of EU standards), they may be considered to build a risk assessment methodology with a global perspective.

Mainly, the proposed methodology addresses five relevant steps:

• description and contextualisation of processing;
• identification and analysis of risk factors;
• assessment of the level of risk related to the processing;
• controls to reduce risk; and
• residual risk assessment and review.

On the preliminary risk assessment to detect whether a DPIA is needed

Another important point of the Guidelines concerns the preliminary risk assessment to identify whether a DPIA must be performed. The analysis of the obligation to conduct a DPIA is part of the process of assessing the risk to rights and freedoms.

In this respect, it is worth noting that the tool and lists of the AEPD highlighted above may be particularly practical for the performance of this preliminary assessment. However, those are not closed. In this sense, one must bear in mind that just because a processing of personal data does not fall within the mandatory lists of supervisory authorities pursuant to Articles 35(4) and 35(5) of the GDPR, this does not necessarily mean that a DPIA is not required.

For this reason and for the sake of clarity, the Guidelines include a table with the conditions to consider to determine whether the controller is obliged to carry out a DPIA of the processing. These conditions are, namely:

• 'where a type of processing, in particular if it uses new technologies, is likely, by its nature, scope, context or purposes, to result in a high risk to the rights and freedoms of natural persons' (following Article 35(1) and Recital 76 of the GDPR);
• when it falls within one of the cases set out in Article 35(3) of the GDPR;
• when a DPIA is necessary for processing according to a particular regulation;
• where the processing falls under one of the examples of an obligation listed in the Article 29 Working Party DPIA Guidelines;
• when at least two of the conditions outlined in the Article 29 Working Party DPIA Guidelines are met by the processing;
• where the processing satisfies two or more of the criteria of the list of the kind of processing operations which are subject to the requirement for a DPIA in line with Article 35(4) of the GDPR, published by the AEPD;
• when a high risk has been determined after considering the situations specified in Article 28(2) of Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights ('LOPDGDD');
• whenever processing is mentioned as being necessary to conduct a DPIA in any of the guidelines issued by the EDPB; and
• where the processing is subject to a code of conduct or a certification mechanism requiring the controller to carry out a DPIA.

As regards the specific analysis of these conditions, the Guidelines refer to the section dealing with the 'Assessment of the level of risk related to the processing'.

On the utility of applying the guidance provided regarding the assessment of the necessity and proportionality of the processing in the context of DPIAs for LIAs

As established in Article 35(7)(b) of the GDPR, the content of the DPIA shall include 'an assessment of the necessity and proportionality of the processing operations in relation to the purposes', which is an essential part of the DPIA. In that regard, the Guidelines include instructions on the assessment of the necessity and proportionality of the processing in the context of DPIAs.

As stressed by the AEPD in the Guidelines, such an assessment does not aim to determine the legitimacy of the processing or its legal bases. Thus, it should not be confused particularly with the legitimate interests assessment ('LIA') that must be conducted to analyse whether the processing may be relied upon 'the legitimate interests pursued by the controller or by a third party' of Article 6(1)(f) of the GDPR, as the appropriate legal ground. Notwithstanding that, undoubtedly, the guidance and recommendations provided in the Guidelines as regards the necessity and proportionality assessment of a processing in the context of DPIAs, are also worth taking into account when applying the LIA.

Conclusion

For many businesses, adopting a consistent global approach is key for their operations, particularly as regards data governance and the protection of personal data. In order to achieve that aim, in terms of risk management, the Guidelines published by the AEPD are essential for controllers, processors, and DPOs when analysing their data processing operations and making the necessary decisions and actions to ensure and demonstrate that the processing complies with the GDPR.

Isabela Crespo Senior Associate
[email protected]
Bárbara Sáinz de Vicuña Senior Associate
[email protected]
Mercedes Ferrer Associate
[email protected]
Gómez-Acebo & Pombo, Madrid

1. Available at: https://www.aepd.es/es/documento/risk-management-and-impact-assessment-in-processing-personal-data.pdf
2. See at: https://www.cnil.fr/en/privacy-impact-assessment-pia
3. See at: https://www.dataprotection.ie/sites/default/files/uploads/2019-10/Guide%20to%20Data%20Protection%20Impact%20Assessments%20%28DPIAs%29_Oct19_0.pdf
4. See at (only available in Spanish): https://www.aepd.es/es/derechos-y-deberes/cumple-tus-deberes/medidas-de-cumplimiento/evaluaciones-de-impacto
5. Available at: https://evalua-riesgo.aepd.es/index_en.html
6. Available for download at: https://www.aepd.es/es/documento/modelo-informe-EIPD-sector-privado-en.rtf
7. Available at: https://www.aepd.es/sites/default/files/2019-09/listas-dpia-en-35-4.pdf
8. Available at: https://www.aepd.es/sites/default/files/2019-12/ListaDPIA-35-5-Ingles.pdf
9. Available for download at: https://www.aepd.es/es/documento/checklist-dpia-submission-prior-consultation.docx