In today’s article we will deal and discuss the impact assessment and provisions provided under GDPR. In general parlance it means a structured process for considering the implication envisaged processing operation on the protection of personal data. The impact assessment is to be done before processing takes place.
Under article 35 of the GDPR it is explicitly mentioned that where a type of processing is something wherein particular processing using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. Article 35 mandates the controller to carry out an impact assessment before carrying out any processing which is of such nature. A single assessment may address a set of similar processing operations that present similar high risk.
Provisions of article 35 mandates the controller to seek advice from the Data Protection Officer (if designated) to carry out a data protection impact assessment.
There are certain situation mentioned under GDPR wherein data impact assessment shall in particular be required in the following cases-
- Automated processing including profiling and on which decisions are based that produce legal effects concerning the natural person or similarly significant affect it may cause to the natural person;
- Large scale processing of special categories of data referred to u/art. 9(1). (Please note that this includes personal data which will reveal racial or ethnics origin, political opinions or religious or philosophical beliefs or trade union membership, and the processing of generic data, biometrics, health data, sexual life and sexual orientation) or data relating to criminal convictions and offences referred u/art.10;
- A systematic monitoring of publicly accessible area on a large scale.
The provision under article 35 further clarifies and makes it optional to the supervisory authority to make or establish a list of the kind of processing operations for which no data protection impact assessment is required and that list must be communicated to the Board (the European Data Protection Board). The board must apply the consistency mechanism as mentioned u/art.63 of GDPR if the list involves processing activities of which are related to the offering of goods and services to data subjects or to monitoring the behaviour in several Member States or has potential to substantially affect the free movement of personal data within the EU.
Picture Credit- https://www.freeprivacypolicy.com/