Privacy Impact Assessment
Lina Jasmontaite, Brussels Privacy Hub, LSTS, VUB

On 4 October 2016, as part of the GDPR Workshop series, the Brussels Privacy Hub hosted a workshop on implementation of the EU GDPR and Privacy Impact Assessment. The workshop was divided into two sessions. 

The first one consisted of a joint presentation by Rowena Rodrigues and Julia Muraszkewicz from Trilateral Research Ltd., exploring some of the challenges associated to  DPIAs. The presentation was based upon two of Trilateral’s research projects: SATORI and iTRACK. The presentation addressed the DPIA related requirements to be found in the GDPR. Among the challenges discussed it put the emphasis upon the need to determine who has the most adequate expertise, what type of impact assessment is most appropriate (e.g., scope, scale), or how to ensure that it is of sufficient quality. It then presented a case-study based on the iTRACK project. It was followed by a Q&A session.

The second part of the workshop consisted in open discussion with the audience. It was chaired and steered by Raphaël Gellert and Niels Van Dijk from VUB-LSTS and the D/PIALAB. Two themes in particular garnered particular attention: the difference between a PIA and a DPIA, and the issue of public participation in DPIA. Concerning the first issue, there seemed to be a consensus concerning the fact that DPIAs are limited to complying with the GDPR. The articulation between complying with GDPR and assessing the risks to the rights and freedoms of the data subjects continued remains unclear to the audience, as is the added value of a DPIA limited to compliance. Concerning the issue of public participation, the discussion highlighted the difficulty of identifying who the relevant public is. Comparisons were made with environmental law, which has a broad scope ratione personae (i.e., it can extend to all concerned persons, not only affected persons). There was also some important discussion on the scope ratione materiae of this provision, i.e., to which processing operations should it apply? It seems further guidance from the EDPB will be needed to define the high risk processing operations where such participation is seen as appropriate.