Luiss

Department of Law

Data protection Impact Assessment and Data Breach

10 novembre 2021 Data Protection Law A.A. 2021-2022

Article 35 – DPIA

Article 35 of the GDPR introduces the concept of a Data Protection Impact

Assessment (DPIA).
A DPIA is a process designed to describe the processing, assess its necessity
and proportionality and help manage the risks to the rights and freedoms of
natural persons resulting from the processing of personal data by assessing
them and determining the measures to address them.
The Risk

The GDPR requires controllers to implement appropriate measures to

ensure and be able to demonstrate compliance with the GDPR, taking into
account among others the “the risks of varying likelihood and severity for
the rights and freedoms of natural persons” (article 24).
A “risk” is a scenario describing an event and its consequences, estimated in
terms of severity and likelihood. “Risk management” can be defined as the
coordinated activities to direct and control an organization with regard to
risk.
What does a DPIA address?

DPIA address a single processing operation or a set of similar processing operations.

1. A DPIA may concern a single data processing operation.
2. A single DPIA could be used to assess multiple processing operations that are similar in
terms of nature, scope, context, purpose, and risks.
3. A DPIA can also be useful for assessing the data protection impact of a technology
product
Which processing operations are subject to a DPIA?
Apart from exceptions, where they are “likely to result in a high risk”. A DPIA has to be carried out
When processing is “likely to result in a high risk”.

Even though a DPIA could be required in other circumstances, Article 35(3) provides some
examples when a processing operation is “likely to result in high risks”:
A. a systematic and extensive evaluation of personal aspects relating to natural persons which
is based on automated processing, including profiling, and on which decisions are based that
produce legal effects concerning the natural person or similarly significantly affect the
natural person;
B. processing on a large scale of special categories of data referred to in Article 9(1), or of
personal data relating to criminal convictions and offences referred to in Article 1013; or
C. a systematic monitoring of a publicly accessible area on a large scale”.
DPIA - Criteria

In order to provide a more concrete set of processing operations that require a DPIA due
to their inherent high risk, taking into account the particular elements of Articles 35(1)
and 35(3)(a) to (c), the list to be adopted at the national level under article 35(4) and
recitals 71, 75 and 91, and other GDPR references to “likely to result in a high risk”
processing operations, the following nine criteria should be considered.
1. Evaluation or scoring;
2. Automated-decision making with legal or similar significant effect;
3. Systematic monitoring;
4. Sensitive data or data of a highly personal nature;
DPIA - Criteria

5. Data processed on a large scale;

6. Matching or combining datasets;
7. Data concerning vulnerable data subjects (recital 75);
8. Innovative use or applying new technological or organisational solutions;
9. prevents data subjects from exercising a right or using a service or a contract” (Article
22 and recital 91).

In most cases, a data controller can consider that a processing meeting two criteria
would require a DPIA to be carried out.
However, in some cases, a data controller can consider that a processing meeting only
one of these criteria requires a DPIA.
DPIA - Examples
Examples of processing Possible Relevant criteria DPIA likely to be
required?

A hospital processing its patients’ genetic and - Sensitive data or data of a highly YES
health data (hospital information system). personal nature.
- Data concerning vulnerable data
subjects.
- Data processed on a large-scale.

The use of a camera system to monitor driving - Systematic monitoring. YES

behavior on highways. The controller envisages - Innovative use or applying
to use an intelligent video analysis system to technological or organisational
single out cars and automatically recognize solutions.
license plates.
DPIA - Examples
Examples of processing Possible Relevant criteria DPIA likely to be
required?

A company systematically monitoring its - Systematic monitoring. YES

employees’ activities, including the monitoring - Data concerning vulnerable data
of the employees’ work station, internet subjects.
activity, etc.

A processing of “personal data from patients - Sensitive data or data of a highly NO

or clients by an individual physician, other personal nature.
health care professional or lawyer” (Recital - Data concerning vulnerable data
91). subjects.
.
DPIA - Examples
Examples of processing Possible Relevant criteria DPIA likely to be
required?

A company systematically monitoring its - Systematic monitoring. YES

employees’ activities, including the monitoring - Data concerning vulnerable data
of the employees’ work station, internet subjects.
activity, etc.

The gathering of public social media data for - Evaluation or scoring. YES
generating profiles. - Data processed on a large scale.
- Matching or combining of
datasets.
- Sensitive data or data of a highly
personal nature:
DPIA - Examples
Examples of processing Possible Relevant criteria DPIA likely to be
required?

An institution creating a national level credit - Evaluation or scoring. YES

rating or fraud database. - Automated decision making with
legal or similar significant effect.
- Prevents data subject from
exercising a right or using a service or
a contract.
- Sensitive data or data of a highly
personal nature:

An online magazine using a mailing list to send a NO

generic daily digest to its subscribers. Data processed on a large scale.
DPIA - Examples
Examples of processing Possible Relevant criteria DPIA likely to be
required?

An e-commerce website displaying adverts for - Evaluation or scoring. NO

vintage car parts involving limited profiling based
on items viewed or purchased on its own website.

Storage for archiving purpose of pseudonymised - Sensitive data. YES

personal sensitive data concerning vulnerable - Data concerning vulnerable data
data subjects of research projects or clinical trials subjects.
- Prevents data subjects from
exercising a right or using a service or
a contract.
When isn’t a DPIA required?
When the processing is not "likely to result in a high risk", or a similar DPIA exists, or it
has been authorized prior to May 2018, or it has a legal basis, or it is in the list of
processing operations for which a DPIA is not required.
WP29 considers that a DPIA is not required in the following cases:
• where the processing is not "likely to result in a high risk to the rights and freedoms of
natural persons“;
• when the nature, scope, context and purposes of the processing are very similar to the
processing for which DPIA have been carried out;
• where a processing operation has a legal basis in EU;
• where the processing is included on the optional list of processing operation.
How to carry out a DPIA?
The DPIA should be carried out “prior to the processing” (Articles 35(1) and 35(10),
recitals 90 and 93). This is consistent with data protection by design and by default
principles (Article 25 and recital 78). The DPIA should be seen as a tool for helping
decision-making concerning the processing.

Who is obliged to carry out the DPIA? The controller, with the DPO and processors. The
controller is responsible for ensuring that the DPIA is carried out (Article 35(2)). Carrying
out the DPIA may be done by someone else, inside or outside the organization, but the
controller remains ultimately accountable for that task.
Role of the DPO in a DPIA
The WP29 recommends that the controller should seek the advice of the DPO, on the
following issues, amongst others 35:
• whether or not to carry out a DPIA
• what methodology to follow when carrying out a DPIA
• whether to carry out the DPIA in-house or whether to outsource it
• what safeguards (including technical and organisational measures) to apply to mitigate
any risks to the rights and interests of the data subjects
• whether or not the data protection impact assessment has been correctly carried out
and whether its conclusions (whether or not to go ahead with the processing and
what safeguards to apply) are in compliance with the GDPR.
DPIA Template
Step 1: Identify the need for a DPIA
Step 2: Describe the processing
• Describe the nature of the processing;
• Describe the scope of the processing;
• Describe the context of the processing;
• Describe the purposes of the processing.
Step 3: Consultation process
Step 4: Assess necessity and proportionality
DPIA Template

Step 5: Describe the processing

• Describe source of risk and nature of potential impact on individuals.
Step 6: Identify measures to reduce risk
Step 7: Sign off and record outcomes
Data Breach

The GDPR introduces the requirement for a personal data breach to be notified to the
competent national supervisory authority (hereinafter “SA”) and, in certain cases, to
communicate the breach to the individuals whose personal data have been affected by
the breach (Articles 33 and 34).
As part of any attempt to address a breach the controller should first be able to recognise
one. The GDPR defines a “personal data breach” in Article 4 as: “a breach of security
leading to the accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Exfiltration of job application data from a website

An employment agency was the victim of a cyber-attack, which placed a malicious code
on its website. This malicious code made personal information submitted through online
job application forms and stored on the webserver accessible to unauthorized person(s).
213 such forms are possibly affected, after analysing the affected data it was determined
that no special categories of data were affected in the breach. The particular malware
toolkit installed had functionalities that allowed the attacker to remove any history of
exfiltration and also allowed processing on the server to be monitored and to have
personal data captured. The toolkit was discovered only a month after its installation.
Organizational and technical measures for
preventing / mitigating the impacts of hacker
attacks
1. State-of-the-art encryption and key management;
2. Keeping the system up to date (software and firmware);
3. Use of strong authentication methods;
4. Secure development standards;
5. Strong user privileges and access control management policy in place.
6. Use of appropriate firewall;
7. Penetration testing;
8. Backups testing
Stolen material storing encrypted personal data

During a break-in into a children’s day-care centre, two tablets were stolen. The tablets
contained an app which held personal data about the children attending the day-care
centre. Name, date of birth, personal data about the education of the children were
concerned. Both the encrypted tablets which were turned off at the time of the break-in,
and the app were protected by a strong password. Back-up data was effectively and
readily available to the controller. After becoming aware of the break-in, the day-care
remotely issued a command to wipe the tablets shortly after the discovery of the break-
in.
Organizational and technical measures for
preventing / mitigating the impacts of
loss or theft of devices
1. Turn on device’s encryption;
2. Use passcode/password on all devices;
3. Use multi-factor authentication;
4. Use MDM;
5. save personal data;
6. Use of appropriate firewall;
7. Use a secure VPN;