On 04 April 2017, the EU Article 29 Working Party (WP29) issued its much-anticipated draft Guidelines on Data Protection Impact Assessments (DPIAs), which will be required under Article 35 of the EU General Data Protection Regulation (GDPR). The draft Guidelines are open for comment from the public until 23 May 2017, after which the final Guidelines will be published. The DPIA Guidelines will be complemented by the WP29 Guidelines on Profiling, a draft of which is expected to be published later this year.

The draft DPIA Guidelines provide additional insights into the types of processing that will require a DPIA and the circumstances under which consultation with data protection authorities must be carried out. The requirement will apply to processing operations that meet the criteria of Article 35 and that are initiated after the GDPR becomes applicable, on 25 May 2018 (or that are modified in significant ways after that date). However, the WP29 recommends that DPIAs be carried out for all processing operations that meet the Article 35 criteria.

The draft DPIA Guidelines also:

• provide various examples of the types of processing operations that will be subject to DPIAs as well as the criteria that should be considered in assessing whether the processing is likely to present a high risk to the rights and freedoms of data subjects (thus triggering the DPIA obligation);
• clarify that prior consultation with the Data Protection Authority (DPA) is required when there is a “residual” high risk to the rights and freedoms of data subjects, even after remedial measures are applied to address the risks; and
• seek to promote the development of a common list of EU processing operations for which DPIAs are necessary, and for which they are not necessary, along with common criteria for specifying when DPAs should be consulted.