BRUSSELS PRIVACY HUB
Brussels Privacy Hub Workshop Summary
Implementation of the GDPR and Privacy Impact Assessment
On 4 October 2016, the Brussels Privacy Hub hosted a workshop on Privacy Impact Assessments at the Institute of European Studies, the Vrije Universiteit Brussel. The workshop was part of the BPH Workshops Series on the Implementation of the GDPR. The workshop was divided into two sessions.
The first one consisted of a joint presentation by Rowena Rodrigues and Julia Muraszkewicz from Trilateral Research Ltd., exploring some of the challenges associated to DPIAs. The presentation was based upon two of Trilateral’s research projects: SATORI and iTRACK. The presentation addressed the DPIA related requirements to be found in the GDPR. Among the challenges discussed it put the emphasis upon the need to determine who has the most adequate expertise, what type of impact assessment is most appropriate (e.g., scope, scale), or how to ensure that it is of sufficient quality. It then presented a case-study based on the iTRACK project. It was followed by a Q&A session.
The second part of the workshop consisted in open discussion with the audience. It was chaired and steered by Raphaël Gellert and Niels Van Dijk from VUB-LSTS and the D/PIALAB. Two themes in particular garnered particular attention: the difference between a PIA and a DPIA, and the issue of public participation in DPIA. Concerning the first issue, there seemed to be a consensus concerning the fact that DPIAs are limited to complying with the GDPR. The articulation between complying with GDPR and assessing the risks to the rights and freedoms of the data subjects continued remains unclear to the audience, as is the added value of a DPIA limited to compliance. Concerning the issue of public participation, the discussion highlighted the difficulty of identifying who the relevant public is. Comparisons were made with environmental law, which has a broad scope ratione personae (i.e., it can extend to all concerned persons, not only affected persons). There was also some important discussion on the scope ratione materiae of this provision, i.e., to which processing operations should it apply? It seems further guidance from the EDPB will be needed to define the high risk processing operations where such participation is seen as appropriate.