One of the new responsibilities for data controllers under the GDPR is to perform a data processing impact assessment (DPIA) when processing is likely to result into a high risk. The GDPR does not specify the risk assessment details. The Office's methodology supplements its regulation and stipulates 15 specific criteria for assessing the risk of processing (e.g. extent of processing, sensitivity of the data, degree of monitoring or vulnerability of data subjects), which is further divided into three levels according the seriousness.
Although it is not the final document, the Office's published risk assessment methodology in relation to DPIA is a significant refinement of the existing methodology of the EU Working Party WP29. In addition, it is evident from the draft that the number of processing activities that should be subject to the DPIA according to the Office should be lower than if it were based only on the WP29 guidelines. It will not include, for example, bookkeeping or operation of a CCTV system without excessive monitoring of public areas or employees. The full text of the draft is available HERE.
In case of any question please contact our GDPR experts:
Mgr. Ing. Radek Matouš Managing Attorney E email@example.com T +420 255 706 554
Mgr. Marek Bomba, LL.M. Managing Attorney E firstname.lastname@example.org T +420 255 706 548
5th December 2018
20th February 2019
7th March 2019