July 14, 2020

Volume X, Number 196

July 14, 2020

Subscribe to Latest Legal News and Analysis

July 13, 2020

Subscribe to Latest Legal News and Analysis

Assessing GDPR Guidelines Part II: Data Impact Assessments

Following up on yesterday’s blog about profiling and automated decision making, we now look at guidance on data protection impact assessment (DPIA). The same guidance we discussed also directs companies to conduct a DPIA where profiling or automated decision-making results in the “systematic and extensive evaluation” of an individual and decisions are made based on that evaluation that could have legal effects.

Additional guidelines released by the Working Party last month (here) provide more detail on DPIAs and when a DPIA is required. DPIAs are tools to manage risk and can be used by companies to demonstrate compliance with GDPR requirements. They are only required where the processing of personal data under the GDPR is “likely to result in a high risk to the rights and freedoms of natural persons.” The guidelines provide the following examples of processing that is likely to require a DPIA:

  • A hospital information system processing patients’ health data

  • A company that systematically monitors employees’ activities, including internet activity

  • The gathering of public social media data for generating profiles

The guidelines remind companies to conduct a DPIA before the processing begins.  And, that the DPIA is to include (1) a description of the processing and purpose of the processing, (2) an assessment of the necessity of the processing, (3) an assessment of the risks to the rights and freedoms of data subjects, and (4) measures envisioned to address risks and demonstrate compliance with the GDPR.  Data processing can commence where the DPIA supports a lawful basis for processing under the GDPR.

Putting it Into Practice: Companies trying to assess whether they need a DPIA under GDPR should keep in mind the timing of the assessment. A close look at the type of processing being conducted is an important step.


Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume VII, Number 348


About this Author

Townsend Bourne, Government Affairs Attorney, Sheppard Mullin Law FIrm

Ms. Bourne's practice focuses on Government Contracts law and litigation. Her experience includes complex litigation in connection with the False Claims Act, bid protest actions both challenging and defending agency decisions on contract awards before the Government Accountability Office and Court of Federal Claims, claims litigation before the Armed Services Board of Contract Appeals and the Civilian Board of Contract Appeals, investigating and preparing contractor claims, and conducting internal investigations. 

Ms. Bourne advises clients on a...

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and external practitioners alike.”

She is known as an industry leader in the privacy and data security space and is consistently recognized by Leading Lawyers Network, Chambers and The Legal 500, and leading publications and organizations for her work in this area of law. Liisa was recently recognized as the 2017 Data Protection Lawyer of the Year - USA by Global 100, the 2017 U.S. Data Protection Lawyer of the Year by Finance Monthly, and the “Best in Data Security Law Services” at Corporate LiveWire’s 2017 Global Awards.