Managing personal data risks & conducting a data protection impact assessment under the GDPR

Managing personal data risks & conducting a data protection impact assessment under the GDPR

Before the adoption of the General Data Protection Regulation (GDPR), assessing the risks associated with processing personal data, in general, has not been mandatory under the Data Protection Directive (DPD). Although a risk-based approach is incorporated in the DPD regarding scientific research, data security and prior checking, this has not resulted into a standardized methodology for data protection risk assessment. However, the GDPR makes it mandatory to carry out a Data Protection Impact Assessment before engaging in any “risky” data processing.

This course will look at existing approaches in conducting a Privacy Impact Assessment (PIA) and the methodologies adopted by some data protection authorities such as the UK ICO, the French CNIL and the Spanish DPA.  Recently, the Belgian DPA published a draft recommendation on DPIA and Prior Consultation for public consultation, and the Article 29 Working Party has issued Guidelines on Data Protection Impact Assessment (DPIA) as part of its efforts at explaining the provisions of the General Data Protection Regulation (GDPR).

More importantly, this course will look at the relevant provisions of the GDPR regarding the scope, processes and documentation of DPIA. In general, this course will be interesting for students who wish to grasp one of the core functions of a Data Protection Officer as provided for by the GDPR. 

 

Literature:

 

The GDPR

 

The Article 29 Working Party Guidelines on Data Protection Impact Assessment (DPIA)

 

The European Commission Recommending on RFID

 

The European Commission Recommendation on Smart Meters and Smart Grid in 2012

 

UK’s ICO PIA Handbook and PIA code of practice

 

The French CNIL PIA Methodology

 

The Spanish DPA Guidelines

 

The Belgian DPA draft recommendation on DPIA and Prior Consultation for public consultation