The European Data Protection Supervisor, Wojciech Wiewiórowski, submitted on Monday 6 July additional guidelines for European institutions to support them when carrying out data protection impact assessments.
These additional ‘tips’ accompany the implementation of Regulation 2018/1725 on the processing of personal data by EU institutions, bodies, offices and agencies. According to this Regulation, an impact assessment must be carried out for the processing of information which poses a high risk to the rights and freedoms of natural persons (such as profiling or large-scale systematic surveillance of an area accessible to the public).
The European Data Protection Supervisor’s (EDPS) report is based on the replies of 40 Data Protection Officers. It notes that the majority of EU bodies have not finalised an impact assessment within the meaning of Article 39 of the Regulation. However, those that have, had two characteristics: a variable size (from 5 to 55 pages) and a variable appreciation of the notion of ‘risk’. For the rest, the report remains rather vague, refusing to “reprimand the bad students”. However, it allows the EDPS to provide more guidance on when to conduct such a survey, on the need to harmonise methodologies or to share good practices. See the report: https://bit.ly/3gqWyde (Original version in French by Sophie Petitjean)