Ample bandwidth has been eaten by panicky commentary over the fines possible under the EU’s upcoming General Data Protection Regulation (GDPR). Sure, the GDPR arms EU data protection authorities with a hefty compliance stick. Yet the focus on exorbitant fines seems a bit disingenuous given the past nature (low amounts) and history (infrequent) of enforcement in the EU.
On the other hand, genuine rewards may await companies that focus on the nitty-gritty of GDPR compliance. Companies can gain an advantage over competitors by digging into the GDPR, identifying their customer’s GDPR compliance obligations, and figuring out how to help customers manage those requirements. Conducting an analysis of the GDPR, how it interacts with your product or service, and its effect on your customers will require some effort. Luckily, the GDPR takes effect in May 2018, so there is time.
Below is one example of a GDPR issue to consider. Doing so now could help place your company in front of the GDPR – in a good way.
The Data Protection Impact Assessment (DPIA): Does Your Product Trigger a DPIA Requirement?
A Data Protection Impact Assessment (DPIA) is a type of Privacy Impact Assessment (PIA) that triggers unique obligations including record-keeping requirements. Under the GDPR, a data controller must conduct a DPIA if its data processing activities are “likely to result in a high risk to the rights and freedoms of natural persons.” Companies can preemptively analyze whether their goods or service might expose their customers to the risk of needing to conduct a DPIA. If the requirement is likely triggered, companies can prepare to help their customers navigate the DPIA landscape.
When is a DPIA required?
The challenge with the DPIA standard is that the GDPR insufficiently describes the high-risk processing that makes one necessary. The Article 29 Working Party (A29 WP) issued this draft Guidance to address that shortcoming (the final version is expected to be substantially similar). It lists processing activities that alone or in combination could mean the responsible data controller must conduct a DPIA. Those include:
- Evaluation or scoring of an individual (e.g., profiling), especially where it relates to an individual’s performance at work, health, behavior, location, or movements;
- Automated decision making by the data controller that results in legal or similar significant effects on an individual;
- Systematic monitoring of individuals;
- Large-scale processing;
- Matching or combining datasets, for example, combining previously collected data with data purchased from a third-party data broker; and
- Processing sensitive data, such as data concerning vulnerable subjects, for example, employees (as their relationship with their employer is not an equal one), children, and the elderly.
According to the A29 WP, when a processing activity meets only one of these criteria it may not need a full DPIA, but those meeting two or more criteria will likely require a full DPIA.
More Issues for the Data-Driven Marketing Industry
The GDPR presents a few conundrums for the data-driven marketing industry. While waiting for clarity in those areas, actors in the data-driven marketing industry can give extra thought to the “matching or combining” category above. A party purchasing data to match or combine with other data may be buying a requirement to conduct a DPIA as well. Data brokers that are prepared to help their customers understand what a DPIA is, whether one will be required, and what documentation is needed, will have an edge over their less prepared competition.
Those interested can begin to orient themselves around DPIA issues with this GDPR Compliance Questionnaire from the Bavarian Data Protection Authority (DPA). Although it addresses the GDPR more broadly, the questions related to the DPIA give a glimpse of the types of documents companies should probably have available for DPA review. The Bavarian DPA instructs a company to consider the following questions:
- Have you established an appropriate method in your enterprise for determining if a DPIA has to be conducted?
- Have you established an appropriate risk method in your enterprise for the conduct of a DPIA?
- Have you chosen a process for conducting the DPIA; have you already tested it?
These questions help identify the documentation to have available as evidence of proper DPIA due diligence. For example, a document that sets out internal policies and procedures for assessing whether a DPIA is required and how to conduct one, if needed.
Your GDPR Glass: half empty or half full?
While a breach of the GDPR can result in large fines, taking the time to consider GDPR compliance from your customer’s perspective could result in large benefits. Give your company a chance to reap the rewards of understanding the GDPR. And start now!
For GDPR-related inquiries, please contact Robert Stankey at 202.973.4214.