Documents

The General Data Protection Regulation (GDPR, 2018) is the core instrument of the personal data protection law in the European Union (EU) and has substantially reformed the legislative framework compared to the former applicable law, the Data Protection Directive (DPD, 1995). One of the newly introduced requirements in the GDPR has been the obligation to conduct a data protection impact assessment (DPIA) (Article 35 GDPR). With regard to this process, it constitutes a form of impact assessment (IA) and, to a large extent, is a variation of privacy impact assessment (PIA). In general, impact assessment and similar ex ante evaluation techniques have proliferated so as to address largely unpredictable effects of emerging technologies, before they materialize.
The objective of this guidance document is to provide the necessary foundations for the legal requirements of the process of DPIA in the heavily-regulated telecommunications sector in Belgium. The obligation to conduct a DPIA reflects the risk-based approach to the protection of personal data and the strengthening of the principle of accountability therein (Article 5(2) GDPR). Alongside many other advantages, the actors in the telecommunications sector would multiply benefit from conducting the said process, not only because it would achieve legal compliance, but also it would demonstrate a systematization of their data processing operations. Indeed, the activity of the telecommunications sector varies from continuously handling requests regarding personalized products and services, concluding contracts with customers, to optimizing the network or monitoring its performance.
In order to navigate through the assessment process, first, the essential framework of IA is presented. This is part of the architecture of impact assessment and consists of principles and conditions governing the theory and practice thereof, e.g. independence of the assessors, the reasonable transparency therein, and their adaptive and inclusive character. The second element of the architecture is the method, which has accordingly been tailored-down to correspond to the reality and needs of the telecommunications sector in Belgium. The selected method includes a series of building blocks, split in four phases: preparation phase, assessment phase, post-assessment phase and ongoing phase.
During the preparation phase, a preliminary description of the envisaged data processing operations is sought, in order to determine whether or not a DPIA is required. If this is true, the assessors browse through the analysis of the threshold, determining if it is likely that the processing operations may result in a high risk to the rights and freedoms of individuals. The GDPR, the European Data Protection Board (EDPB) and the national Data Protection Authorities (DPA) have assumed their role in setting such criteria of high risk. Subsequently, during the scoping step, the applicable legislation, the stakeholders and the appraisal techniques are determined, among others. The first phase is concluded with the planning of the assessment process, including resources necessary to conduct it.
The essence of the DPIA lies within the second phase, namely the assessment phase. Here, a quite extensive description of the contextual and technical aspects of the envisaged processing operations is provided. This serves as the basis for the actual assessment through two distinct appraisal techniques, as required by the GDPR, namely: a) the necessity and proportionality assessment, aiming largely to observe the proper implementation of the personal data protection principles; and b) the assessment of the risks to the rights and freedoms of data subjects, in which possible risks are identified, analysed as to their likelihood and severity, and for which mitigation measures are recommended. To that end, a rigorous method is employed, ensuring that the assessment is made on a fact-based analysis, built on sufficient, clearly described and verifiable evidence.
Next, two milestones are provided for during the post-assessment phase. In case of high residual risk, and in absence of measures or recommendations taken by the controller to mitigate the risks after conducting a DPIA process, the step of prior consultation with the DPA is triggered, in which the latter shall be informed and act, if necessary. Moreover, this phase includes a step dedicated to the revision of a DPIA at least when there is a change of the risk represented by processing operations.
The three phases above are ceaselessly supplemented by an ongoing, cross-cutting phase, in particular encompassing the step of stakeholder involvement, the step of quality control of the assessment process and the step of documentation. All of the three remain indispensable for achieving an excellent and trustworthy result.
Lastly, a comprehensive list of annexes concludes this guidance document. The goal of the said annexes is essentially to provide inventories of relevant information for relevant building blocks (knowledge bases) as appended to the present document.
Original languageEnglish
Place of PublicationBrussels
PublisherAGORIA VZW
Commissioning bodyVZW
Number of pages93
Publication statusPublished - 30 Oct 2020

    Research areas

  • data protection, privacy, GDPR, telecommunication sector, DPIA, impact assessment, data protection impact assessment

ID: 54554181