On April 5, the “Article 29 Data Protection Working Party” has published the “Guidelines on Data Protection Impact Assessemnt (DPIA) in order to give a valid interpretation of art. 34 of the EU Regulation 2016/679.
The document consists of 19 pages (plus two attachments) very dense, having regard to the complexity of the matter.
From guidelines it shows that the DPIA activity is quite complex characterized by:
From guidelines it shows that the DPIA activity is quite complex characterized by:
- Risk management (can be valid to consider the use of ISO 31000) which is conducted on two levels:
- information security,
- assessment of the risk to the rights and freedoms of the people (a particular aspect of DPIA);
- Repeat DPIA whenever possible risks are considered: the nature, the object, the context and purpose of the processing (to be repeated at least every three years);
- The preparation of the Register of processing operations (as required by art. 30 of the EU Regulation 2016/679).
It also shows that, for all existing treatments, you will have to complete the DPIA before the entry into force of the Regulations, the worst since May 25, 2018 (it is not an easy thing, we should start to get busy): video surveillance is a treatment for which always should be implement DPIA activities.
You can find the guideline here.