Our last article on November 15, 2018, discussed CNIL* Deliberation No. 2018-326 of November 6, 2018, on processing operations requiring an impact assessment under the GDPR**.

This article proposes to analyze the second deliberation, No. 2018-326, published in the Official Gazette of the same day, laying down rules to be followed regarding the impact assessment.

Perimeter

Treatments subject to an impact assessment

The RGPD sets out three types of processing concerned:

  • The systematic and thorough evaluation of personal aspects, based on automated processing, on the basis of which decisions are taken that have legal effects on a natural person or that affect him or her in a similar significant way,
  • Large-scale processing of sensitive data or data relating to criminal convictions and offences,
  • Systematic large-scale monitoring of a publicly accessible area.

The EDPS*** has identified nine criteria to characterize a processing operation as likely to give rise to high risk:

  • Data processed on a large scale,
  • Sensitive data (racial or ethnic origin, political opinions, etc.) or highly personal data (location data, financial data, etc.),
  • Data concerning vulnerable persons (children, elderly, etc.),
  • Cross-referencing or combining data,
  • Evaluation (including profiling),
  • Automated decision making with legal or similar effect,
  • Systematic monitoring of people,
  • Treatment that may exclude from the benefit of a right, service or contract,
  • Innovative use or application of new technological or organizational solutions.

This being said, the commission considers that a treatment that meets at least two of the above-mentioned criteria must be subject to an impact assessment.

However, it is possible not to follow this recommendation if the processing does not involve a high risk. In this case, the decision must still be explained and documented, including the opinion of the DPO****.

Conversely, if a treatment has only one criterion but is high risk, an impact assessment will be required.

In case of doubt, the CNIL considers that an impact analysis must be carried out.

Finally, the CNIL reminds us that "the RGPD requires supervisory authorities to draw up a list of processing operations for which a DPIA is required", which has been done with the deliberation discussed in our previous article. This list will be regularly reviewed by the CNIL.

Processing not subject to impact assessment

These are processing operations that do not entail a "high risk for the rights and freedoms of natural persons".

The GDPR allows national data protection authorities to adopt a list of processing operations that do not require an impact assessment; the CNIL will draw up this list shortly.

Processing operations that comply with a legal obligation are also not subject to an impact assessment.

An impact assessment is also not required "where the nature, scope, context and purposes of the processing operations envisaged" are very similar to a processing operation that has already been covered by an impact assessment carried out by the controller or "by a third party ([...] group of controllers, etc.)." In this case, the results of the impact assessment already conducted can be reused.

Special cases of processing carried out before the entry into force of the GDPR

The CNIL states, among other things, that processing operations implemented before May 25, 2018 that have been the subject of a formality with the CNIL do not have to undergo an impact analysis within three years of May 25, 2018, unless they have been substantially modified.

Requirements for conducting an impact assessment

The impact analysis must:

  • Be performed prior to the implementation of the high risk treatment,
  • Reviewed on a regular basis (every 3 years minimum).

Article 35.7 of the GDPR sets out the minimum content of an impact assessment:

  • A systematic description of the envisaged processing operations and their purposes,
  • An assessment of the necessity and proportionality of the processing operations with regard to the purposes,
  • An assessment of the risks to the rights and freedoms of the persons concerned,
  • The measures envisaged to deal with the risks.

The CNIL believes that the impact assessment must satisfy the criteria identified by the EDPS in its October 4, 2017 guidelines ("Criteria for Acceptability of a PIA").

An impact analysis must involve all of the actors involved in the processing, i.e. the DPO****, the CISO*****, the subcontractors, the persons concerned, the project owner and the project manager depending on the context.

The CNIL recommends documenting the contributions of each of the stakeholders, and the reason for not consulting them. It also recommends that the person responsible for conducting an impact assessment publish it.

Obligations to transmit an impact analysis to the CNIL

An impact analysis revealing high residual risks despite the measures envisaged by the data controller must be transmitted to the CNIL under the conditions provided for in Article 36 of the RGPD.
The data controller may, if necessary, rely on the sectoral guidelines issued by the CNIL.

The CNIL indicates that impact assessments may, pursuant to Article 58 of the RGPD (powers of investigation, adoption of corrective measures, etc.) be requested from the data controllers concerned.

CNIL*: Commission nationale de l'informatique et des libertés

GDPR**: General Data Protection Regulation

EDPS*** : European Data Protection Committee

DPO**** : the person in charge of the protection of personal data processed by an organization

RSSI***** : Information Systems Security Manager

impact assessment CNIL compliance compliance infringements laws criminal RGPD rules regulation