January 21, 2022

Volume XII, Number 21

Advertisement
Advertisement

January 20, 2022

Subscribe to Latest Legal News and Analysis

January 19, 2022

Subscribe to Latest Legal News and Analysis

January 18, 2022

Subscribe to Latest Legal News and Analysis

Are Organizations Always Required to Conduct Data Protection Impact Assessments When They Profile Individuals?

No.

Within the United States organizations will only be required to conduct data protection assessments under the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA) beginning in 2023 if the processing of personal data for purposes of profiling presents a “reasonably foreseeable risk” to individuals. The type of risks contemplated by the statutes include situations in which individuals may experience:1

  • Unfair or deceptive treatment,

  • Unlawful disparate impact,

  • Financial injury,

  • Physical injury,

  • Reputational injury,2

  • Physical intrusion upon solitude or seclusion which would be “offensive to a reasonable person,”

  • Non-physical (e.g., electronic) intrusion upon solitude or seclusion which would be “offensive to a reasonable person,”

  • Intrusion upon private affairs or concerns which would be “offensive to a reasonable person,” or

  • Other substantial injury.

Under the European General Data Protection Regulation (GDPR), organizations that utilize profiling are typically only required to conduct a data protection impact assessment in the following three situations:

  • The organization is utilizing profiling in conjunction with automated decision-making,3

  • The organization its utilizing, on a large scale, special category information to conduct profiling,4 or

  • The organization is utilizing profiling as part of the systematic monitoring of a publicly accessible area on a large scale.5


1 Va. Code 59.1-579(A)(3) (2021); C.R.S. 6-1-1309(2)(A)(I)-(IV) (2021).

2 Note that the Colorado Privacy Act does not identify reputational injury as a risk warranting a data protection assessment in the context of profiling.

3 GDPR, Art. 35(3)(a); WP 251, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, adopted on 3 October 2017, at 27.

4 GDPR, Art. 35(3)(b).

5 GDPR, Art. 35(3)(c).

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 321
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement
Advertisement