Data protection impact assessments

• Author: Michèle Finck
• Pages: 87-88

Blockchain and the General Data Protection Regulation

87

9.Data protection impact assessments

Where data processing is likely to result in a high risk to fundamental rights, the controller ought

to take preventive action and carry out a Data ProtectionImpact Assessment ('DPIA') to determine

the impact of processing on personal data protection. 529DPIAs are evaluations of the impact of the

planned processing operations on data subjects that ought to be carried out by data controllers

where the nature, scope, context and purposes of processing are of high risk to the rights and

freedoms of natural parties, which can be the case in particular where new technologies are used.530

This is required in particular where there is a 'a systematic and extensive evaluation of personal

aspects relating to natural persons which is based on automated processing, including profiling,

and on which decisions are based that produce legal effects concerning the natural person or

similarly significantly affect the natural person'.531

Under Article 35GDPR, such impact assessments are recommended in particular where

processing involves (i) a systemic and extensive evaluation of personal aspects of natural persons

based on automated processing; (ii) sensitive data and data related tocriminal convictions and

offences or (iii) where the systematic monitoring of a publicly accessible area on large scale is

involved.532Where a DPIA indicates that processing results in a high risk for data subjects and no

measures to mitigate the risks canbe taken, the controller is required to inform the supervisory

authority.533

Pursuant to Article 35(7) GDPR, this assessment ought to provide a systematic description of the

purposes and processing activities (as well as, where applicable, any assessment ofthe legitimate

interest of the controller to process personal data), an assessment of the necessity and

proportionality of the processing (in relation to the purpose), an assessment of the risks and rights

and freedoms of data subjects as well as the envisaged measu res to address such risks.

It is important to stress that the need for a DPIA arises not so much because a specific

technology is used but rather because the processing in question is deemed particularly risky,

such as where a large scale of special categories of data or data related to criminal convictions or

offenses is processed534or a publicly accessible area is systemically monitored on a large scale.535

The need for a data protection impact assessment thus arises where there is a high risk for data

subjects, rather than through the use of a particular technology.

Nonetheless, the use of a new technology may in itself be considered as giving rise to a high risk.

Indeed, the United Kingdom's Data Protection Authority considers that a DPIA must be carried out

whenever a new technologyis used.536What qualifies as a new technology is, however, notoriously

difficult to define as any innovation always builds on previous innovations. Indeed, it has been noted

in the introductory section that although blockchain can clearly be considered 'new' it is essentially

based on a number of innovations that date back to a few decades ago. Further, one may wonder

whether even though one assumes that blockchain is a new technology, for what period it can be

529Article 35 (1) GDPR.

530Article 35(1) GDPR.

531Article 35 (3)(a) GDPR.

532Article 35(3) GDPR.

533Article 36(1) GDPR.

534Article 35 (3)(b) GDPR.

535Article 35 (3)(c) GDPR.

536https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-

governance/data-protection-impact-assessments/