Data protection impact assessments

• Author: Michèle Finck
• Pages: 87-88

Blockchain and the General Data Protection Regulation

87

9. Data protection impact assessments

Where data processing is likely to result in a high risk to fundamental rights, the controller ought

to take preventive action and carry out a Data Protection Impact Assessment ('DPIA') to determine

the impact of processing on personal data protection. 529 DPIAs are evaluations of the impact of the

planned processing operations on data subjects that ought to be carried out by data controllers

where the nature, scope, context and purposes of processing are of high risk to the rights and

freedoms of natural parties, which can be the case in particular where new technologies are used.530

This is required in particular where there is a 'a systematic and extensive evaluation of personal

aspects relating to natural persons which is based on automated processing, including profiling,

and on which decisions are based that produce legal effects concerning the natural person or

similarly significantly affect the natural person'.531

Under Article 35 GDPR, such impact assessments are recommended in particular where

processing involves (i) a systemic and extensive evaluation of personal aspects of natural persons

based on automated processing; (ii) sensitive data and data related to criminal convictions and

offences or (iii) where the systematic monitoring of a publicly accessible area on large scale is

involved.532 Where a DPIA indicates that processing results in a high risk for data subjects and no

measures to mitigate the risks can be taken, the controller is required to inform the supervisory

authority.533

Pursuant to Article 35(7) GDPR, this assessment ought to provide a systematic description of the

purposes and processing activities (as well as, where applicable, any assessment of the legitimate

interest of the controller to process personal data), an assessment of the necessity and

proportionality of the processing (in relation to the purpose), an assessment of the risks and rights

and freedoms of data subjects as well as the envisaged measu res to address such risks.

It is important to stress that the need for a DPIA arises not so much because a specific

technology is used but rather because the processing in question is deemed particularly risky,

such as where a large scale of special categories of data or data related to criminal convictions or

offenses is processed534 or a publicly accessible area is systemically monitored on a large scale.535

The need for a data protection impact assessment thus arises where there is a high risk for data

subjects, rather than through the use of a particular technology.

Nonetheless, the use of a new technology may in itself be considered as giving rise to a high risk.

Indeed, the United Kingdom's Data Protection Authority considers that a DPIA must be carried out

whenever a new technology is used.536 What qualifies as a new technology is, however, notoriously

difficult to define as any innovation always builds on previous innovations. Indeed, it has been noted

in the introductory section that although blockchain can clearly be considered 'new' it is essentially

based on a number of innovations that date back to a few decades ago. Further, one may wonder

whether even though one assumes that blockchain is a new technology, for what period it can be

529 Article 35 (1) GDPR.

530 Article 35(1) GDPR.

531 Article 35 (3)(a) GDPR.

532 Article 35(3) GDPR.

533 Article 36(1) GDPR.

534 Article 35 (3)(b) GDPR.

535 Article 35 (3)(c) GDPR.

536 https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-

governance/data-protection-impact-assessments/