On October 4, 2017, the Article 29 Working Party (the “Working Party”) revised and adopted the final version of the Guidelines on data protection impact assessments (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (the “Guidelines”). The Guidelines were first published for comment on April 4, 2017, and the final publication of these revised Guidelines follows the public consultation that ended in May 2017.

In general, the revised and final Guidelines do not differ substantially from the original Guidelines published in April 2017. The following amendments, however, are worth noting:

  • The Working Party emphasized the importance of DPIAs as a risk management tool. In addition, the Working Party stated that even where the conditions triggering the obligation to carry out a DPIA have not been met, data controllers are not exempt from implementing appropriate risk management measures, as well as continuously assessing the risks associated with their data processing activities.
  • The list of criteria to consider when determining whether processing activities are likely to result in a high risk has been amended. The Working Party has now removed the criterion of “data transfer across borders outside the European Union” that was included in the original version of the Guidelines.
  • The list of examples of processing activities likely to trigger the obligation to conduct DPIAs was expanded with the following example: “An institution creating a national level credit rating or fraud database.”

The Working Party strongly emphasized the importance of continuously assessing whether data processing activities trigger the need to conduct a DPIA in light of potential changes affecting such activities (i.e., change to the risks resulting from the processing operations or changes in the implementation of the processing activities affecting their scope, purpose, the type of personal data collected, the identity of the data controller(s), data retention period, technical and organizational measures, etc.), independent of prior DPIAs or prior checking performed by the supervisory authority or the data protection officer.